{ "type": "bundle", "id": "bundle--421eadba-217b-48d9-bdbb-a488d002d170", "objects": [ { "type": "x-mitre-matrix", "id": "x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/matrices/mobile-attack", "external_id": "mobile-attack" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:50.259Z", "name": "Network-Based Effects", "description": "Below are the tactics and techniques representing the two MITRE ATT&CK Matrices for Mobile. The Matrices cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrices contains information for the following platforms: Android, iOS.", "tactic_refs": [ "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210", "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "x-mitre-matrix", "id": "x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/matrices/mobile-attack", "external_id": "mobile-attack" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-14T17:30:39.329Z", "name": "Mobile ATT&CK", "description": "Below are the tactics and techniques representing the MITRE ATT&CK Matrix for Mobile. The Matrix covers techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrix contains information for the following platforms: Android, iOS.", "tactic_refs": [ "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6", "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756", "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54", "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8", "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df", "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10", "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1", "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f", "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba", "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3", "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981", "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", "id": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "created": "2017-10-25T14:48:51.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1006", "external_id": "M1006" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:08.756Z", "name": "Use Recent OS Version", "description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "course-of-action", "id": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d", "created": "2019-10-18T12:49:58.924Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1005", "external_id": "M1005" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:49.664Z", "name": "Application Vetting", "description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "modified": "2024-12-10T16:07:50.023Z", "name": "Application Developer Guidance", "description": "Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures:\n \nPreventing SQL Injection (Secure Coding Practice):\n\n- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries.\n- Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.\n\nCross-Site Scripting (XSS) Mitigation:\n\n- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page.\n- Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users\u2019 browsers.\n\nSecure API Design:\n\n- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses.\n- Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.\n\nStatic Code Analysis in the Build Pipeline:\n\n- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process.\n- Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.\n\nThreat Modeling in the Design Phase:\n\n- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design.\n- Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.\n\n**Tools for Implementation**:\n\n- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code.\n- Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities.\n- Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices.", "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_version": "1.2", "type": "course-of-action", "id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "created": "2017-10-25T14:48:53.732Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1013", "external_id": "M1013" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "course-of-action", "id": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "created": "2017-10-25T14:48:53.318Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1012", "external_id": "M1012" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:09.487Z", "name": "Enterprise Policy", "description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "course-of-action", "id": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "created": "2019-10-18T12:53:03.508Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1011", "external_id": "M1011" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:09.845Z", "name": "User Guidance", "description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "modified": "2024-02-20T22:02:55.968Z", "name": "Do Not Mitigate", "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "type": "course-of-action", "id": "course-of-action--76a32151-5233-465f-a607-7e576c62c932", "created": "2024-02-20T22:02:55.968Z", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1059", "external_id": "M1059" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "course-of-action", "id": "course-of-action--78671282-26aa-486c-a7a5-5921e1616b58", "created": "2023-09-21T19:36:08.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1058", "external_id": "M1058" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:18.330Z", "name": "Antivirus/Antimalware", "description": "Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "course-of-action", "id": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "created": "2017-10-25T14:48:52.270Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1004", "external_id": "M1004" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:10.556Z", "name": "System Partition Integrity", "description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "course-of-action", "id": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", "created": "2017-10-25T14:48:50.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1009", "external_id": "M1009" }, { "source_name": "TechCrunch-ATS", "description": "Kate Conger. (2016, June 14). Apple will require HTTPS connections for iOS apps by the end of 2016. Retrieved December 19, 2016.", "url": "https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/" }, { "source_name": "Android-NetworkSecurityConfig", "description": "Google. (n.d.). Network Security Configuration. Retrieved December 19, 2016.", "url": "https://developer.android.com/training/articles/security-config.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:10.924Z", "name": "Encrypt Network Traffic", "description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "course-of-action", "id": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "created": "2017-10-25T14:48:49.554Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1003", "external_id": "M1003" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:11.299Z", "name": "Lock Bootloader", "description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "course-of-action", "id": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "created": "2019-10-18T12:51:36.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1001", "external_id": "M1001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:11.661Z", "name": "Security Updates", "description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n\nOn Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "course-of-action", "id": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "created": "2017-10-25T14:48:52.601Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1010", "external_id": "M1010" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:12.032Z", "name": "Deploy Compromised Device Detection Method", "description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "course-of-action", "id": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", "created": "2017-10-25T14:48:50.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1014", "external_id": "M1014" }, { "source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:19.290Z", "name": "Interconnection Filtering", "description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "course-of-action", "id": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9", "created": "2017-10-25T14:48:51.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1007", "external_id": "M1007" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:49.835Z", "name": "Caution with Device Administrator Access", "description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "course-of-action", "id": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "created": "2019-10-18T12:50:35.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1002", "external_id": "M1002" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:12.762Z", "name": "Attestation", "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0" }, { "type": "malware", "id": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "created": "2020-11-10T16:50:38.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0529", "external_id": "S0529" }, { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:13.122Z", "name": "CarbonSteal", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "CarbonSteal" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "created": "2020-06-26T15:32:24.569Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0480", "external_id": "S0480" }, { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:13.502Z", "name": "Cerberus", "description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_aliases": [ "Cerberus" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "created": "2017-10-25T14:48:40.571Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0320", "external_id": "S0320" }, { "source_name": "DroidJack", "description": "(Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)" }, { "source_name": "Proofpoint-Droidjack", "description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.", "url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app" }, { "source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:03.310Z", "name": "DroidJack", "description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "DroidJack" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "created": "2019-09-23T13:36:07.816Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0411", "external_id": "S0411" }, { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:14.047Z", "name": "Rotexy", "description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Rotexy" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0328", "external_id": "S0328" }, { "source_name": "Stealth Mango", "description": "(Citation: Lookout-StealthMango)" }, { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:14.412Z", "name": "Stealth Mango", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Stealth Mango" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--08784a9d-09e9-4dce-a839-9612398214e8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0319", "external_id": "S0319" }, { "source_name": "Allwinner", "description": "(Citation: HackerNews-Allwinner)" }, { "source_name": "HackerNews-Allwinner", "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.", "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:14.772Z", "name": "Allwinner", "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "created": "2020-12-24T22:04:27.667Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0551", "external_id": "S0551" }, { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:15.155Z", "name": "GoldenEagle", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "GoldenEagle" ], "labels": [ "malware" ] }, { "modified": "2024-03-19T18:32:01.207Z", "name": "FlixOnline", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) is an Android malware, first detected in early 2021, believed to target users of WhatsApp. [FlixOnline](https://attack.mitre.org/software/S1103) primarily spreads via automatic replies to a device\u2019s incoming WhatsApp messages.(Citation: checkpoint_flixonline_0421) ", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "FlixOnline" ], "type": "malware", "id": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "created": "2024-01-26T17:30:31.022Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1103", "external_id": "S1103" }, { "source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "created": "2020-05-04T14:04:55.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0432", "external_id": "S0432" }, { "source_name": "Joker", "description": "(Citation: Google Bread)" }, { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:04.130Z", "name": "Bread", "description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store\u2019s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Sergey Persikov, Check Point", "Jonathan Shimonovich, Check Point", "Aviran Hazum, Check Point" ], "x_mitre_aliases": [ "Bread", "Joker" ], "labels": [ "malware" ] }, { "modified": "2025-04-02T14:42:15.961Z", "name": "TriangleDB", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) is an Objective-C written implant deployed after [Binary Validator](https://attack.mitre.org/software/S1215) and after root privileges are obtained during [Operation Triangulation](https://attack.mitre.org/campaigns/C0054)\u2019s infection chain. Upon execution, [TriangleDB](https://attack.mitre.org/software/S1216) communicates with the C2 server, relaying information about the victim device.(Citation: SecureList OpTriangulation 21Jun2023) ", "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "TriangleDB" ], "type": "malware", "id": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "created": "2025-03-27T22:51:45.705Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1216", "external_id": "S1216" }, { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "modified": "2023-10-07T21:29:43.845Z", "name": "Hornbill", "description": "[Hornbill](https://attack.mitre.org/software/S1077) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Hornbill](https://attack.mitre.org/software/S1077) was first active in early 2018. While [Hornbill](https://attack.mitre.org/software/S1077) and [Sunbird](https://attack.mitre.org/software/S1082) overlap in core capabilities, [Hornbill](https://attack.mitre.org/software/S1077) has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "Hornbill" ], "type": "malware", "id": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "created": "2023-06-09T19:07:18.101Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1077", "external_id": "S1077" }, { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--172444ab-97fc-4d94-b142-179452bfb760", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0325", "external_id": "S0325" }, { "source_name": "Judy", "description": "(Citation: CheckPoint-Judy)" }, { "source_name": "CheckPoint-Judy", "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:16.257Z", "name": "Judy", "description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc", "created": "2017-10-25T14:48:45.155Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0285", "external_id": "S0285" }, { "source_name": "OldBoot", "description": "(Citation: HackerNews-OldBoot)" }, { "source_name": "HackerNews-OldBoot", "description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.", "url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:16.618Z", "name": "OldBoot", "description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "created": "2017-10-25T14:48:43.242Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0290", "external_id": "S0290" }, { "source_name": "Gooligan", "description": "(Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)" }, { "source_name": "Ghost Push", "description": "Gooligan has been described as being part of the Ghost Push Android malware family. (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)" }, { "source_name": "Gooligan Citation", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" }, { "source_name": "Ludwig-GhostPush", "description": "Adrian Ludwig. (2016, November 29). The fight against Ghost Push continues. Retrieved December 12, 2016.", "url": "https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi" }, { "source_name": "Lookout-Gooligan", "description": "Lookout. (2016, December 1). Ghost Push and Gooligan: One and the same. Retrieved December 12, 2016.", "url": "https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:16.979Z", "name": "Gooligan", "description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Gooligan", "Ghost Push" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "created": "2017-10-25T14:48:45.794Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0305", "external_id": "S0305" }, { "source_name": "SpyNote RAT", "description": "(Citation: Zscaler-SpyNote)" }, { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:17.353Z", "name": "SpyNote RAT", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "SpyNote RAT" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "created": "2020-04-24T17:46:31.111Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0427", "external_id": "S0427" }, { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:17.722Z", "name": "TrickMo", "description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Ohad Mana, Check Point", "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_aliases": [ "TrickMo" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "created": "2020-06-02T14:32:31.461Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0463", "external_id": "S0463" }, { "source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:18.080Z", "name": "INSOMNIA", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "INSOMNIA" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--22b596a6-d288-4409-8520-5f2846f85514", "created": "2019-12-10T16:07:40.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0420", "external_id": "S0420" }, { "source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:18.436Z", "name": "Dvmap", "description": "[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Dvmap" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "created": "2020-07-27T14:14:56.729Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0494", "external_id": "S0494" }, { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:18.792Z", "name": "Zen", "description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Zen" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe", "created": "2017-10-25T14:48:36.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0299", "external_id": "S0299" }, { "source_name": "NotCompatible", "description": "(Citation: Lookout-NotCompatible)" }, { "source_name": "Lookout-NotCompatible", "description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:19.154Z", "name": "NotCompatible", "description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "created": "2023-12-18T19:00:02.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1095", "external_id": "S1095" }, { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-22T21:22:24.938Z", "name": "AhRat", "description": "[AhRat](https://attack.mitre.org/software/S1095) is an Android remote access tool based on the open-source AhMyth remote access tool. [AhRat](https://attack.mitre.org/software/S1095) initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, \u201ciRecorder \u2013 Screen Recorder,\u201d which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Edward Stevens, BT Security" ], "x_mitre_aliases": [ "AhRat" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0318", "external_id": "S0318" }, { "source_name": "XLoader for Android", "description": "(Citation: TrendMicro-XLoader)" }, { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" }, { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:19.697Z", "name": "XLoader for Android", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "XLoader for Android" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--28e39395-91e7-4f02-b694-5e079c964da9", "created": "2017-10-25T14:48:46.107Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0306", "external_id": "S0306" }, { "source_name": "Trojan-SMS.AndroidOS.FakeInst.a", "description": "(Citation: Kaspersky-MobileMalware)" }, { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:20.063Z", "name": "Trojan-SMS.AndroidOS.FakeInst.a", "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "created": "2020-07-20T13:58:53.422Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0490", "external_id": "S0490" }, { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:20.425Z", "name": "XLoader for iOS", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "XLoader for iOS" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "created": "2023-02-06T18:48:41.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1061", "external_id": "S1061" }, { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:06.208Z", "name": "AbstractEmu", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "AbstractEmu" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "created": "2023-08-16T16:30:44.598Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1083", "external_id": "S1083" }, { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" }, { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T03:53:35.020Z", "name": "Chameleon", "description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android\u2019s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of [Chameleon](https://attack.mitre.org/software/S1083) has expanded its targets to include Android users in the United Kingdom and Italy.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Liran Ravich, CardinalOps", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India", "Yasuhito Kawanishi, NEC Corporation" ], "x_mitre_aliases": [ "Chameleon" ], "labels": [ "malware" ] }, { "modified": "2024-11-17T18:31:54.806Z", "name": "Exodus", "description": "[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "Exodus", "Exodus One", "Exodus Two" ], "type": "malware", "id": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "created": "2019-09-03T19:45:47.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0405", "external_id": "S0405" }, { "source_name": "Exodus One", "description": "(Citation: SWB Exodus March 2019)" }, { "source_name": "Exodus Two", "description": "(Citation: SWB Exodus March 2019)" }, { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "created": "2017-10-25T14:48:37.438Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0301", "external_id": "S0301" }, { "source_name": "Dendroid", "description": "(Citation: Lookout-Dendroid)" }, { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:21.321Z", "name": "Dendroid", "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Dendroid" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", "created": "2017-10-25T14:48:37.020Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0312", "external_id": "S0312" }, { "source_name": "WireLurker", "description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.", "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" }, { "source_name": "PaloAlto-WireLurker", "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:21.687Z", "name": "WireLurker", "description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "modified": "2025-01-13T17:52:20.612Z", "name": "Desert Scorpion", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor [APT-C-23](https://attack.mitre.org/groups/G1028).(Citation: Lookout Desert Scorpion) \n\nThere are multiple close variants of [Desert Scorpion](https://attack.mitre.org/software/S0505), such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), [FrozenCell](https://attack.mitre.org/software/S0577) and [SpyC23](https://attack.mitre.org/software/S1195), which add some additional functionality but are not significantly different from the original malware.", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_aliases": [ "Desert Scorpion" ], "type": "malware", "id": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "created": "2020-09-11T14:54:16.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0505", "external_id": "S0505" }, { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" }, { "source_name": "Unit42 VAMP 2017", "description": "Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.", "url": "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/" }, { "source_name": "Trendmicro GnatSpy 2017", "description": "Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.", "url": "https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "modified": "2024-04-06T00:01:53.588Z", "name": "Pegasus for iOS", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).", "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_aliases": [ "Pegasus for iOS" ], "type": "malware", "id": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "created": "2017-10-25T14:48:44.238Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0289", "external_id": "S0289" }, { "source_name": "Pegasus for iOS", "description": "(Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab)" }, { "source_name": "PegasusCitizenLab", "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" }, { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0329", "external_id": "S0329" }, { "source_name": "Tangelo", "description": "(Citation: Lookout-StealthMango)" }, { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:22.408Z", "name": "Tangelo", "description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Tangelo" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "created": "2017-10-25T14:48:38.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0295", "external_id": "S0295" }, { "source_name": "RCSAndroid", "description": "(Citation: TrendMicro-RCSAndroid)" }, { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:22.773Z", "name": "RCSAndroid", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "RCSAndroid" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "created": "2020-04-24T15:06:32.870Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0425", "external_id": "S0425" }, { "source_name": "Wabi Music", "description": "(Citation: TrendMicro Coronavirus Updates)" }, { "source_name": "Concipit1248", "description": "(Citation: TrendMicro Coronavirus Updates)" }, { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:23.129Z", "name": "Corona Updates", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Corona Updates", "Wabi Music", "Concipit1248" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0327", "external_id": "S0327" }, { "source_name": "Skygofree", "description": "(Citation: Kaspersky-Skygofree)" }, { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:23.488Z", "name": "Skygofree", "description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Skygofree" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "created": "2017-10-25T14:48:43.815Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0288", "external_id": "S0288" }, { "source_name": "KeyRaider", "description": "(Citation: Xiao-KeyRaider)" }, { "source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:23.854Z", "name": "KeyRaider", "description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0", "created": "2017-10-25T14:48:44.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0287", "external_id": "S0287" }, { "source_name": "ZergHelper", "description": "(Citation: Xiao-ZergHelper)" }, { "source_name": "Xiao-ZergHelper", "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:24.224Z", "name": "ZergHelper", "description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--3cf81957-489a-469f-b013-362d548a96c1", "created": "2025-06-25T15:32:53.278Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1225", "external_id": "S1225" }, { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-23T20:45:51.613Z", "name": "CherryBlos", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. [CherryBlos](https://attack.mitre.org/software/S1225) was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind [CherryBlos](https://attack.mitre.org/software/S1225) uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.(Citation: TrendMicro_CherryBlos_July2023) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Liran Ravich, CardinalOps" ], "x_mitre_aliases": [ "CherryBlos" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "created": "2020-12-24T21:50:02.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0550", "external_id": "S0550" }, { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:24.588Z", "name": "DoubleAgent", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "DoubleAgent" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "created": "2026-02-16T15:40:59.504Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S9005", "external_id": "S9005" }, { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T02:05:27.803Z", "name": "DocSwap", "description": "[DocSwap](https://attack.mitre.org/software/S9005) is an Android malware first identified in 2025, and attributed to [Kimsuky](https://attack.mitre.org/groups/G0094). [DocSwap](https://attack.mitre.org/software/S9005)\u2019s name is a combination of its Korean name \u201c\ubb38\uc11c\uc5f4\ub78c \uc778\uc99d \uc571\u201d (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on [DocSwap](https://attack.mitre.org/software/S9005)\u2019s name and Korean-language strings, [DocSwap](https://attack.mitre.org/software/S9005) potentially targets mobile device users in South Korea. Several variants of [DocSwap](https://attack.mitre.org/software/S9005) exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Wai Linn Oo, Kernellix Co.,Ltd." ], "x_mitre_aliases": [ "DocSwap" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "created": "2017-10-25T14:48:42.313Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0302", "external_id": "S0302" }, { "source_name": "Twitoor", "description": "(Citation: ESET-Twitoor)" }, { "source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:24.958Z", "name": "Twitoor", "description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Twitoor" ], "labels": [ "malware" ] }, { "modified": "2023-10-11T14:36:39.396Z", "name": "Fakecalls", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422) ", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_contributors": [ "Pooja Natarajan, NEC Corporation India", "Hiroki Nagahama, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India" ], "x_mitre_aliases": [ "Fakecalls" ], "type": "malware", "id": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "created": "2023-07-21T19:49:44.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1080", "external_id": "S1080" }, { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "created": "2023-02-06T19:34:43.026Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1062", "external_id": "S1062" }, { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" }, { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:08.121Z", "name": "S.O.V.A.", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "S.O.V.A." ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "created": "2017-10-25T14:48:47.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0310", "external_id": "S0310" }, { "source_name": "ANDROIDOS_ANSERVER.A", "description": "(Citation: TrendMicro-Anserver)" }, { "source_name": "TrendMicro-Anserver", "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:25.685Z", "name": "ANDROIDOS_ANSERVER.A", "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "ANDROIDOS_ANSERVER.A" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--4e164a21-3fbe-4aaa-be69-2513fdba90f7", "created": "2026-04-20T13:01:30.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S9030", "external_id": "S9030" }, { "source_name": "Check Point Wirte NOV 2024", "description": "Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.", "url": "https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-22T00:47:27.191Z", "name": "SameCoin", "description": "[SameCoin](https://attack.mitre.org/software/S9030) is a multi-platform wiper with Windows and Android versions that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) to target entities in the Middle East including in Israel.(Citation: Check Point Wirte NOV 2024)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Windows", "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_aliases": [ "SameCoin" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", "created": "2017-10-25T14:48:41.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0315", "external_id": "S0315" }, { "source_name": "DualToy", "description": "(Citation: PaloAlto-DualToy)" }, { "source_name": "PaloAlto-DualToy", "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:26.050Z", "name": "DualToy", "description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "created": "2020-07-15T20:20:58.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0485", "external_id": "S0485" }, { "source_name": "oxide", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "briar", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "ricinus", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "darkmatter", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:26.424Z", "name": "Mandrake", "description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Mandrake", "oxide", "briar", "ricinus", "darkmatter" ], "labels": [ "malware" ] }, { "modified": "2024-04-10T21:58:07.962Z", "name": "HilalRAT", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) is a remote access-capable Android malware, developed and used by [UNC788](https://attack.mitre.org/groups/G1029).(Citation: Meta Adversarial Threat Report 2022) [HilalRAT](https://attack.mitre.org/software/S1128) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as activating a device's camera and microphone.(Citation: Meta Adversarial Threat Report 2022) ", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_contributors": [ "Denise Tan" ], "x_mitre_aliases": [ "HilalRAT" ], "type": "malware", "id": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "created": "2024-04-02T19:01:36.303Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1128", "external_id": "S1128" }, { "source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--56660521-6db4-4e5a-a927-464f22954b7c", "created": "2017-10-25T14:48:42.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0314", "external_id": "S0314" }, { "source_name": "X-Agent for Android", "description": "(Citation: CrowdStrike-Android)" }, { "source_name": "CrowdStrike-Android", "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:26.968Z", "name": "X-Agent for Android", "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "created": "2020-06-26T15:12:39.648Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0479", "external_id": "S0479" }, { "source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:27.329Z", "name": "DEFENSOR ID", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim\u2019s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android\u2019s accessibility service.(Citation: ESET DEFENSOR ID) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Luk\u00e1\u0161 \u0160tefanko, ESET" ], "x_mitre_aliases": [ "DEFENSOR ID" ], "labels": [ "malware" ] }, { "modified": "2024-04-17T17:06:28.821Z", "name": "BRATA", "description": "[BRATA](https://attack.mitre.org/software/S1094) (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, [BRATA](https://attack.mitre.org/software/S1094) was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of [BRATA](https://attack.mitre.org/software/S1094).(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_contributors": [ "Pooja Natarajan, NEC Corporation India" ], "x_mitre_aliases": [ "BRATA" ], "type": "malware", "id": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "created": "2023-12-18T18:06:22.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1094", "external_id": "S1094" }, { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" }, { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" }, { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "created": "2025-01-03T20:41:46.276Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1185", "external_id": "S1185" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-15T18:40:23.781Z", "name": "LightSpy", "description": "First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.(Citation: MelikovBlackBerry LightSpy 2024) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "Windows", "iOS", "macOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Alden Schmidt", "Dmitry Bestuzhev" ], "x_mitre_aliases": [ "LightSpy" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "created": "2017-10-25T14:48:40.875Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0303", "external_id": "S0303" }, { "source_name": "MazarBOT", "description": "(Citation: Tripwire-MazarBOT)" }, { "source_name": "Tripwire-MazarBOT", "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:28.053Z", "name": "MazarBOT", "description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "created": "2020-04-08T15:51:24.862Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0423", "external_id": "S0423" }, { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:28.434Z", "name": "Ginp", "description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_aliases": [ "Ginp" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f", "created": "2017-10-25T14:48:40.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0321", "external_id": "S0321" }, { "source_name": "HummingWhale", "description": "(Citation: ArsTechnica-HummingWhale)" }, { "source_name": "ArsTechnica-HummingWhale", "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:28.796Z", "name": "HummingWhale", "description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "modified": "2024-03-29T15:07:58.675Z", "name": "eSurv", "description": "[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_aliases": [ "eSurv" ], "type": "malware", "id": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "created": "2020-09-14T14:13:45.032Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0507", "external_id": "S0507" }, { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "created": "2023-02-28T21:39:52.744Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1069", "external_id": "S1069" }, { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:09.556Z", "name": "TangleBot", "description": "[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "TangleBot" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "created": "2019-09-04T14:28:14.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0407", "external_id": "S0407" }, { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:29.512Z", "name": "Monokle", "description": "[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "J\u00f6rg Abraham, EclecticIQ" ], "x_mitre_aliases": [ "Monokle" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "created": "2025-09-18T14:36:13.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1241", "external_id": "S1241" }, { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T03:26:04.908Z", "name": "RatMilad", "description": "[RatMilad](https://attack.mitre.org/software/S1241) is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of [RatMilad](https://attack.mitre.org/software/S1241) have been disguised as VPN applications and a fake app named NumRent. Upon installation, [RatMilad](https://attack.mitre.org/software/S1241) employs multiple [Collection](https://attack.mitre.org/tactics/TA0035) techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. (Citation: ZimperiumGupta_RatMilad_Oct2022)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Google's Android Security team" ], "x_mitre_aliases": [ "RatMilad" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "created": "2025-10-08T14:33:07.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1243", "external_id": "S1243" }, { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T03:50:18.603Z", "name": "DCHSpy", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) is an Android spyware likely used by [MuddyWater](https://attack.mitre.org/groups/G0069). [DCHSpy](https://attack.mitre.org/software/S1243) uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, [DCHSpy](https://attack.mitre.org/software/S1243) collects information from the device and exfiltrates the data to the command and control (C2) server.(Citation: Lookout_DCHSpy_July2025) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Kaung Khant Ko" ], "x_mitre_aliases": [ "DCHSpy" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "created": "2020-12-14T14:52:02.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0539", "external_id": "S0539" }, { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:29.878Z", "name": "Red Alert 2.0", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Red Alert 2.0" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "created": "2019-11-21T16:42:48.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0418", "external_id": "S0418" }, { "source_name": "ViceLeaker", "description": "(Citation: SecureList - ViceLeaker 2019)" }, { "source_name": "Triout", "description": "(Citation: SecureList - ViceLeaker 2019)" }, { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" }, { "source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:30.243Z", "name": "ViceLeaker", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "ViceLeaker", "Triout" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "created": "2026-03-09T14:58:08.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S9006", "external_id": "S9006" }, { "source_name": "ArcticWolf_DroppingElephant_July2025", "description": "ArcticWolf. (2025, July 23). Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode. Retrieved November 3, 2025.", "url": "https://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/" }, { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T01:32:27.375Z", "name": "VajraSpy", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. [VajraSpy](https://attack.mitre.org/software/S9006) is attributed with high confidence to [Patchwork](https://attack.mitre.org/groups/G0040) which has used the malware to conduct targeted espionage, primarily against devices in Pakistan. (Citation: ESET_VajraSpy_Feb2024)(Citation: ArcticWolf_DroppingElephant_July2025)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India", "Takemasa Kamatani , NEC Corporation" ], "x_mitre_aliases": [ "VajraSpy" ], "labels": [ "malware" ] }, { "modified": "2023-10-16T16:57:33.534Z", "name": "FlyTrap", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. [FlyTrap](https://attack.mitre.org/software/S1093) was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap) ", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_contributors": [ "Pooja Natarajan, NEC Corporation India", "Hiroki Nagahama, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India" ], "x_mitre_aliases": [ "FlyTrap" ], "type": "malware", "id": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "created": "2023-09-28T17:36:00.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1093", "external_id": "S1093" }, { "source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "created": "2020-09-15T15:18:11.971Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0509", "external_id": "S0509" }, { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:30.790Z", "name": "FakeSpy", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Ofir Almkias, Cybereason" ], "x_mitre_aliases": [ "FakeSpy" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0324", "external_id": "S0324" }, { "source_name": "SpyDealer", "description": "(Citation: PaloAlto-SpyDealer)" }, { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:31.154Z", "name": "SpyDealer", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "SpyDealer" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "created": "2020-04-24T15:12:10.817Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0426", "external_id": "S0426" }, { "source_name": "Corona Updates", "description": "(Citation: TrendMicro Coronavirus Updates)" }, { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:31.516Z", "name": "Concipit1248", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Concipit1248", "Corona Updates" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "created": "2017-10-25T14:48:48.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0313", "external_id": "S0313" }, { "source_name": "RuMMS", "description": "(Citation: FireEye-RuMMS)" }, { "source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:31.880Z", "name": "RuMMS", "description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "created": "2017-10-25T14:48:41.202Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0316", "external_id": "S0316" }, { "source_name": "Pegasus for Android", "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)" }, { "source_name": "Chrysaor", "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)" }, { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" }, { "source_name": "Google-Chrysaor", "description": "Rich Cannings et al.. (2017, April 3). An investigation of Chrysaor Malware on Android. Retrieved April 16, 2017.", "url": "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:32.245Z", "name": "Pegasus for Android", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Pegasus for Android", "Chrysaor" ], "labels": [ "malware" ] }, { "modified": "2025-02-19T17:09:13.063Z", "name": "SpyC23", "description": "[SpyC23](https://attack.mitre.org/software/S1195) is a mobile malware that has been used by [APT-C-23](https://attack.mitre.org/groups/G1028) since at least 2017. [SpyC23](https://attack.mitre.org/software/S1195) has been observed primarily targeting Android devices in the Middle East.(Citation: welivesecurity_apt-c-23) \n\nThere are multiple close variants of [SpyC23](https://attack.mitre.org/software/S1195), such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), [Desert Scorpion](https://attack.mitre.org/software/S0505) and [FrozenCell](https://attack.mitre.org/software/S0577), which add some additional functionality but are not significantly different from the original malware.", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_contributors": [ "Sittikorn Sangrattanapitak" ], "x_mitre_aliases": [ "SpyC23" ], "type": "malware", "id": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "created": "2024-03-26T19:12:00.011Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1195", "external_id": "S1195" }, { "source_name": "Unit42 VAMP 2017", "description": "Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.", "url": "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/" }, { "source_name": "Trendmicro GnatSpy 2017", "description": "Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.", "url": "https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "modified": "2025-02-19T17:08:24.276Z", "name": "FrozenCell", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell) \n\nThere are multiple close variants of [FrozenCell](https://attack.mitre.org/software/S0577), such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), [Desert Scorpion](https://attack.mitre.org/software/S0505) and [SpyC23](https://attack.mitre.org/software/S1195), which add some additional functionality but are not significantly different from the original malware.", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_aliases": [ "FrozenCell" ], "type": "malware", "id": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "created": "2021-02-17T20:43:52.033Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0577", "external_id": "S0577" }, { "source_name": "Unit42 VAMP 2017", "description": "Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.", "url": "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/" }, { "source_name": "Trendmicro GnatSpy 2017", "description": "Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.", "url": "https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html" }, { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "created": "2020-10-29T18:41:49.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0524", "external_id": "S0524" }, { "source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:32.960Z", "name": "AndroidOS/MalLocker.B", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "AndroidOS/MalLocker.B" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "created": "2023-01-18T19:44:52.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1055", "external_id": "S1055" }, { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:11.187Z", "name": "SharkBot", "description": "[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "SharkBot" ], "labels": [ "malware" ] }, { "modified": "2024-11-17T14:24:44.696Z", "name": "RedDrop", "description": "[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_aliases": [ "RedDrop" ], "type": "malware", "id": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0326", "external_id": "S0326" }, { "source_name": "RedDrop", "description": "(Citation: Wandera-RedDrop)" }, { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "created": "2020-12-31T18:25:04.779Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0555", "external_id": "S0555" }, { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:33.676Z", "name": "CHEMISTGAMES", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "CHEMISTGAMES" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "created": "2017-10-25T14:48:48.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0311", "external_id": "S0311" }, { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:11.527Z", "name": "YiSpecter", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "YiSpecter" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17", "created": "2017-10-25T14:48:46.411Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0307", "external_id": "S0307" }, { "source_name": "Trojan-SMS.AndroidOS.Agent.ao", "description": "(Citation: Kaspersky-MobileMalware)" }, { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:34.229Z", "name": "Trojan-SMS.AndroidOS.Agent.ao", "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "modified": "2023-10-20T21:40:21.121Z", "name": "BOULDSPY", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that [BOULDSPY](https://attack.mitre.org/software/S1079) primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_contributors": [ "Gunji Satoshi, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India", "Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd" ], "x_mitre_aliases": [ "BOULDSPY" ], "type": "malware", "id": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "created": "2023-07-21T19:31:54.632Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1079", "external_id": "S1079" }, { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "modified": "2024-09-25T15:03:05.100Z", "name": "Anubis", "description": "[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.3", "x_mitre_contributors": [ "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_aliases": [ "Anubis" ], "type": "malware", "id": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "created": "2020-04-08T15:41:19.114Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0422", "external_id": "S0422" }, { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "modified": "2024-11-17T20:00:53.685Z", "name": "AndroRAT", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) is an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.(Citation: Lookout-EnterpriseApps)(Citation: github_androrat)(Citation: Forcepoint BITTER Pakistan Oct 2016) It is originally available through the `The404Hacking` Github repository.(Citation: github_androrat)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_aliases": [ "AndroRAT" ], "type": "malware", "id": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "created": "2017-10-25T14:48:47.363Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0292", "external_id": "S0292" }, { "source_name": "Forcepoint BITTER Pakistan Oct 2016", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.", "url": "https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" }, { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" }, { "source_name": "github_androrat", "description": "The404Hacking. (n.d.). AndroRAT. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221013124327/https:/github.com/The404Hacking/AndroRAT" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "modified": "2024-09-12T17:23:46.687Z", "name": "FinFisher", "description": "[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)", "x_mitre_platforms": [ "Windows", "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_version": "1.4", "x_mitre_aliases": [ "FinFisher", "FinSpy" ], "type": "malware", "id": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0182", "external_id": "S0182" }, { "source_name": "FinFisher", "description": "(Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)" }, { "source_name": "FinSpy", "description": "(Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)" }, { "source_name": "Microsoft FinFisher March 2018", "description": "Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.", "url": "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" }, { "source_name": "Microsoft SIR Vol 21", "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" }, { "source_name": "FinFisher Citation", "description": "FinFisher. (n.d.). Retrieved September 12, 2024.", "url": "https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" }, { "source_name": "FireEye FinSpy Sept 2017", "description": "Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html" }, { "source_name": "Securelist BlackOasis Oct 2017", "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.", "url": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--a6228601-03f6-4949-ae22-c1087627a637", "created": "2020-05-07T15:18:34.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0440", "external_id": "S0440" }, { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:35.302Z", "name": "Agent Smith", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_aliases": [ "Agent Smith" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "created": "2020-12-14T15:02:35.007Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0540", "external_id": "S0540" }, { "source_name": "Trojan-SMS.AndroidOS.Smaps", "description": "(Citation: Securelist Asacub)" }, { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:35.670Z", "name": "Asacub", "description": "[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims\u2019 bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Asacub", "Trojan-SMS.AndroidOS.Smaps" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "created": "2020-11-24T17:55:12.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0536", "external_id": "S0536" }, { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:36.033Z", "name": "GPlayed", "description": "[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "GPlayed" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "created": "2020-06-26T14:55:12.847Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0478", "external_id": "S0478" }, { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:36.402Z", "name": "EventBot", "description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android\u2019s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "EventBot" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "created": "2020-12-17T20:15:22.110Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0544", "external_id": "S0544" }, { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:36.765Z", "name": "HenBox", "description": "[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "HenBox" ], "labels": [ "malware" ] }, { "modified": "2025-04-02T15:36:23.931Z", "name": "Binary Validator", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) is a Mach-O binary file used during [Operation Triangulation](https://attack.mitre.org/campaigns/C0054).(Citation: SecureList OpTriangulation 23Oct2023) [Binary Validator](https://attack.mitre.org/software/S1215) first collects information about the device, such as the device's phone number and a list of installed applications, before the deployment of the [TriangleDB](https://attack.mitre.org/software/S1216) implant. After the actions are completed and the data is collected, [Binary Validator](https://attack.mitre.org/software/S1215) encrypts and sends the data to the C2 server, and in turn, the C2 server sends the [TriangleDB](https://attack.mitre.org/software/S1216) implant.", "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "Binary Validator" ], "type": "malware", "id": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "created": "2025-03-27T22:44:51.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1215", "external_id": "S1215" }, { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "created": "2025-08-29T21:53:36.156Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1231", "external_id": "S1231" }, { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" }, { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T03:31:15.830Z", "name": "GodFather", "description": "[GodFather](https://attack.mitre.org/software/S1231) is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, [GodFather](https://attack.mitre.org/software/S1231) targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. (Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Google's Android Security team" ], "x_mitre_aliases": [ "GodFather" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "created": "2019-08-07T15:57:12.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0403", "external_id": "S0403" }, { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:37.303Z", "name": "Riltok", "description": "[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Riltok" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "created": "2020-01-27T17:05:57.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0421", "external_id": "S0421" }, { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:37.700Z", "name": "GolfSpy", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "GolfSpy" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "created": "2019-07-10T15:35:43.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0399", "external_id": "S0399" }, { "source_name": "Pallas", "description": "(Citation: Lookout Dark Caracal Jan 2018)" }, { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:38.069Z", "name": "Pallas", "description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Pallas" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24", "created": "2021-04-26T15:33:55.798Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0602", "external_id": "S0602" }, { "source_name": "CitizenLab Circles", "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020.", "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:38.438Z", "name": "Circles", "description": "[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company\u2019s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Circles" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "created": "2021-01-05T20:16:19.968Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0558", "external_id": "S0558" }, { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:38.825Z", "name": "Tiktok Pro", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Tiktok Pro" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "created": "2017-10-25T14:48:43.527Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0291", "external_id": "S0291" }, { "source_name": "PJApps", "description": "(Citation: Lookout-EnterpriseApps)" }, { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:39.221Z", "name": "PJApps", "description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", "created": "2017-10-25T14:48:38.690Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0294", "external_id": "S0294" }, { "source_name": "ShiftyBug", "description": "(Citation: Lookout-Adware)" }, { "source_name": "Lookout-Adware", "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:39.602Z", "name": "ShiftyBug", "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", "created": "2017-10-25T14:48:42.948Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0322", "external_id": "S0322" }, { "source_name": "ArsTechnica-HummingBad", "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:13.785Z", "name": "HummingBad", "description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "HummingBad" ], "labels": [ "malware" ] }, { "modified": "2024-10-01T15:53:53.833Z", "name": "Exobot", "description": "[Exobot](https://attack.mitre.org/software/S0522) is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.(Citation: Threat Fabric Exobot)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "Exobot" ], "type": "malware", "id": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "created": "2020-10-29T13:32:20.972Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0522", "external_id": "S0522" }, { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", "created": "2017-10-25T14:48:44.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0286", "external_id": "S0286" }, { "source_name": "OBAD", "description": "(Citation: TrendMicro-Obad)" }, { "source_name": "TrendMicro-Obad", "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:40.325Z", "name": "OBAD", "description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "modified": "2025-03-12T22:09:42.623Z", "name": "FjordPhantom", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) is a malicious Android application first discovered in September 2024 with targets in Southeast Asia, specifically Indonesia, Thailand, and Vietnam. [FjordPhantom](https://attack.mitre.org/software/S1208) was distributed through email and messaging applications. Once installed, the application launches a virtualization solution to steal important information, such as bank accounts, and to manipulate the user interface. The malicious activity from the virtualization solution runs alongside legitimate banking applications.(Citation: Promon FjordPhantom Oct2024) ", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_contributors": [ "Liran Ravich, CardinalOps" ], "x_mitre_aliases": [ "FjordPhantom" ], "type": "malware", "id": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "created": "2025-03-12T22:01:15.599Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1208", "external_id": "S1208" }, { "source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "created": "2017-10-25T14:48:45.482Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0304", "external_id": "S0304" }, { "source_name": "Android/Chuli.A", "description": "(Citation: Kaspersky-WUC)" }, { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:40.920Z", "name": "Android/Chuli.A", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Android/Chuli.A" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "created": "2017-10-25T14:48:39.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0323", "external_id": "S0323" }, { "source_name": "Charger", "description": "(Citation: CheckPoint-Charger)" }, { "source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:41.299Z", "name": "Charger", "description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Charger" ], "labels": [ "malware" ] }, { "modified": "2024-11-17T18:11:27.761Z", "name": "Drinik", "description": "[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "Drinik" ], "type": "malware", "id": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "created": "2023-01-18T19:05:43.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1054", "external_id": "S1054" }, { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--d89c132d-7752-4c7f-9372-954a71522985", "created": "2017-10-25T14:48:46.734Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0308", "external_id": "S0308" }, { "source_name": "Trojan-SMS.AndroidOS.OpFake.a", "description": "(Citation: Kaspersky-MobileMalware)" }, { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:41.844Z", "name": "Trojan-SMS.AndroidOS.OpFake.a", "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "created": "2017-10-25T14:48:42.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0297", "external_id": "S0297" }, { "source_name": "XcodeGhost", "description": "(Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)" }, { "source_name": "PaloAlto-XcodeGhost1", "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/" }, { "source_name": "PaloAlto-XcodeGhost", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:42.212Z", "name": "XcodeGhost", "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "created": "2020-12-24T21:41:36.719Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0549", "external_id": "S0549" }, { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:42.577Z", "name": "SilkBean", "description": "[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "SilkBean" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "created": "2020-07-20T13:27:33.113Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0489", "external_id": "S0489" }, { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:42.935Z", "name": "WolfRAT", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "WolfRAT" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "created": "2021-10-01T14:42:48.234Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0655", "external_id": "S0655" }, { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:15.058Z", "name": "BusyGasper", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "BusyGasper" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "created": "2017-10-25T14:48:47.674Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0293", "external_id": "S0293" }, { "source_name": "CheckPoint-BrainTest", "description": "Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest \u2013 A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016.", "url": "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/" }, { "source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:15.215Z", "name": "BrainTest", "description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "created": "2020-12-18T20:14:46.858Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0545", "external_id": "S0545" }, { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:43.667Z", "name": "TERRACOTTA", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "TERRACOTTA" ], "labels": [ "malware" ] }, { "modified": "2023-10-11T14:36:10.445Z", "name": "Escobar", "description": "[Escobar](https://attack.mitre.org/software/S1092) is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_contributors": [ "Pooja Natarajan, NEC Corporation India", "Hiroki Nagahama, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India" ], "x_mitre_aliases": [ "Escobar" ], "type": "malware", "id": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "created": "2023-09-28T17:04:46.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1092", "external_id": "S1092" }, { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "created": "2026-02-06T21:22:59.796Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S9004", "external_id": "S9004" }, { "source_name": "ThreatFabric_Crocodilus_June2025", "description": "ThreatFabric. (2025, June 3). Crocodilus Mobile Malware: Evolving Fast, Going Global. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global" }, { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T03:24:47.669Z", "name": "Crocodilus", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) is an Android banking Trojan that was discovered in March 2025. [Crocodilus](https://attack.mitre.org/software/S9004) targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. [Crocodilus](https://attack.mitre.org/software/S9004) has been customized based on the target location. For example, [Crocodilus](https://attack.mitre.org/software/S9004) mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted [Crocodilus](https://attack.mitre.org/software/S9004) to claim bonus points.(Citation: ThreatFabric_Crocodilus_March2025)(Citation: ThreatFabric_Crocodilus_June2025) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack", "enterprise-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Liran Ravich, CardinalOps" ], "x_mitre_aliases": [ "Crocodilus" ], "labels": [ "malware" ] }, { "modified": "2025-03-27T14:28:40.768Z", "name": "Android/SpyAgent", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.(Citation: McAfee MoqHao 2019) Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.(Citation: McAfee MoqHao 2019)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "Android/SpyAgent" ], "type": "malware", "id": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "created": "2025-03-24T14:50:29.875Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1214", "external_id": "S1214" }, { "source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "created": "2019-07-16T14:33:12.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0424", "external_id": "S0424" }, { "source_name": "Kaspersky Triada March 2016", "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", "url": "https://www.kaspersky.com/blog/triada-trojan/11481/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:44.380Z", "name": "Triada", "description": "[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Triada" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "created": "2020-11-20T15:44:57.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0535", "external_id": "S0535" }, { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:44.740Z", "name": "Golden Cup", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Golden Cup" ], "labels": [ "malware" ] }, { "modified": "2025-03-27T22:35:44.281Z", "name": "FluBot", "description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524) An international law enforcement operation of 11 countries eventually disrupted the spread of [FluBot](https://attack.mitre.org/software/S1067).(Citation: Europol FluBot Jun2022)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_aliases": [ "FluBot" ], "type": "malware", "id": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "created": "2023-02-28T20:25:59.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1067", "external_id": "S1067" }, { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" }, { "source_name": "Europol FluBot Jun2022", "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.", "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones" }, { "source_name": "bitdefender_flubot_0524", "description": "Filip TRU\u021a\u0102, R\u0103zvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "created": "2020-09-11T16:22:02.954Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0506", "external_id": "S0506" }, { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:45.280Z", "name": "ViperRAT", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "ViperRAT" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "created": "2017-10-25T14:48:47.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0309", "external_id": "S0309" }, { "source_name": "Adups", "description": "(Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)" }, { "source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" }, { "source_name": "BankInfoSecurity-BackDoor", "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.", "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:45.642Z", "name": "Adups", "description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "created": "2019-11-21T19:16:34.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0419", "external_id": "S0419" }, { "source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:46.008Z", "name": "SimBad", "description": "[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "SimBad" ], "labels": [ "malware" ] }, { "type": "malware", "id": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "created": "2020-10-29T19:19:08.848Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0525", "external_id": "S0525" }, { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:46.381Z", "name": "Android/AdDisplay.Ashas", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Android/AdDisplay.Ashas" ], "labels": [ "malware" ] }, { "modified": "2024-11-17T20:01:55.807Z", "name": "Phenakite", "description": "[Phenakite](https://attack.mitre.org/software/S1126) is a mobile malware that is used by [APT-C-23](https://attack.mitre.org/groups/G1028) to target iOS devices. According to several reports, [Phenakite](https://attack.mitre.org/software/S1126) was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)", "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_contributors": [ "Sittikorn Sangrattanapitak" ], "x_mitre_aliases": [ "Phenakite" ], "type": "malware", "id": "malware--f97e2718-af50-41df-811f-215ebab45691", "created": "2024-03-26T18:47:29.820Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1126", "external_id": "S1126" }, { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" }, { "source_name": "sentinelone_israel_hamas_war", "description": "Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "modified": "2024-09-30T18:57:47.266Z", "name": "Marcher", "description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "Marcher" ], "type": "malware", "id": "malware--f9854ba6-989d-43bf-828b-7240b8a65291", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0317", "external_id": "S0317" }, { "source_name": "Proofpoint-Marcher", "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.", "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "created": "2023-01-19T18:05:30.924Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1056", "external_id": "S1056" }, { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:22:16.464Z", "name": "TianySpy", "description": "[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "TianySpy" ], "labels": [ "malware" ] }, { "modified": "2023-10-07T21:33:03.773Z", "name": "Sunbird", "description": "[Sunbird](https://attack.mitre.org/software/S1082) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Sunbird](https://attack.mitre.org/software/S1082) was first active in early 2017. While [Sunbird](https://attack.mitre.org/software/S1082) and [Hornbill](https://attack.mitre.org/software/S1077) overlap in core capabilities, [Sunbird](https://attack.mitre.org/software/S1082) has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "Sunbird" ], "type": "malware", "id": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "created": "2023-08-04T18:27:24.614Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1082", "external_id": "S1082" }, { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", "created": "2017-10-25T14:48:37.856Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0300", "external_id": "S0300" }, { "source_name": "DressCode", "description": "(Citation: TrendMicro-DressCode)" }, { "source_name": "TrendMicro-DressCode", "description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:47.460Z", "name": "DressCode", "description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "malware" ] }, { "type": "malware", "id": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "created": "2019-09-03T20:08:00.241Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0406", "external_id": "S0406" }, { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:47.835Z", "name": "Gustuff", "description": "[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": [ "Gustuff" ], "labels": [ "malware" ] }, { "type": "tool", "id": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "created": "2019-09-04T15:38:56.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0408", "external_id": "S0408" }, { "source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" }, { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" }, { "source_name": "FlexiSpy-Website", "description": "FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:48.201Z", "name": "FlexiSpy", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Emily Ratliff, IBM" ], "x_mitre_aliases": [ "FlexiSpy" ], "labels": [ "tool" ] }, { "type": "tool", "id": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "created": "2017-10-25T14:48:48.609Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0298", "external_id": "S0298" }, { "source_name": "Xbot", "description": "(Citation: PaloAlto-Xbot)" }, { "source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:48.566Z", "name": "Xbot", "description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "labels": [ "tool" ] }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0027", "external_id": "TA0027" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:48.923Z", "name": "Initial Access", "description": "The adversary is trying to get into your device.\n\nThe initial access tactic represents the vectors adversaries use to gain an initial foothold onto a mobile device.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "initial-access" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0036", "external_id": "TA0036" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:49.291Z", "name": "Exfiltration", "description": "The adversary is trying to steal data.\n\nExfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.\n\nIn the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "exfiltration" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0028", "external_id": "TA0028" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:49.660Z", "name": "Persistence", "description": " The adversary is trying to maintain their foothold.\n\nPersistence is any access, action, or configuration change to a mobile device that gives an attacker a persistent presence on the device. Attackers often will need to maintain access to mobile devices through interruptions such as device reboots and potentially even factory data resets.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "persistence" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0029", "external_id": "TA0029" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:50.023Z", "name": "Privilege Escalation", "description": " The adversary is trying to gain higher-level permissions.\n\nPrivilege escalation includes techniques that allow an attacker to obtain a higher level of permissions on the mobile device. Attackers may enter the mobile device with very limited privileges and may be required to take advantage of a device weakness to obtain higher privileges necessary to successfully carry out their mission objectives.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "privilege-escalation" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0037", "external_id": "TA0037" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:50.386Z", "name": "Command and Control", "description": "The adversary is trying to communicate with compromised devices to control them.\n\nThe command and control tactic represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication. \n\nThe resulting breakdown should help convey the concept that detecting intrusion through command and control protocols without prior knowledge is a difficult proposition over the long term. Adversaries' main constraints in network-level defense avoidance are testing and deployment of tools to rapidly change their protocols, awareness of existing defensive technologies, and access to legitimate Web services that, when used appropriately, make their tools difficult to distinguish from benign traffic.\n\nAdditionally, in the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "command-and-control" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756", "created": "2020-01-27T14:00:49.089Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0041", "external_id": "TA0041" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:50.761Z", "name": "Execution", "description": "The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a mobile device. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "execution" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0034", "external_id": "TA0034" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:51.127Z", "name": "Impact", "description": "The adversary is trying to manipulate, interrupt, or destroy your devices and data.\n\nThe impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "impact" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0031", "external_id": "TA0031" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:51.482Z", "name": "Credential Access", "description": "The adversary is trying to steal account names, passwords, or other secrets that enable access to resources.\n\nCredential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "credential-access" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0035", "external_id": "TA0035" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:51.847Z", "name": "Collection", "description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "collection" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0033", "external_id": "TA0033" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:52.207Z", "name": "Lateral Movement", "description": "The adversary is trying to move through your environment.\n\nLateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "lateral-movement" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0030", "external_id": "TA0030" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:52.568Z", "name": "Defense Evasion", "description": " The adversary is trying to avoid being detected.\n\nDefense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "defense-evasion" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0038", "external_id": "TA0038" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:48.173Z", "name": "Network Effects", "description": "The adversary is trying to intercept or manipulate network traffic to or from a device.\n\nThis category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "network-effects" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0032", "external_id": "TA0032" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:40:53.105Z", "name": "Discovery", "description": "The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "discovery" }, { "type": "x-mitre-tactic", "id": "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0039", "external_id": "TA0039" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:48.346Z", "name": "Remote Service Effects", "description": "The adversary is trying to control or monitor the device using remote services.\n\nThis category refers to techniques involving remote services, such as vendor-provided cloud services (e.g. Google Drive, Google Find My Device, or Apple iCloud), or enterprise mobility management (EMM)/mobile device management (MDM) services that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "remote-service-effects" }, { "type": "attack-pattern", "id": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "created": "2020-11-04T16:43:31.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1603", "external_id": "T1603" }, { "source_name": "Apple NSBackgroundActivityScheduler", "description": "Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.", "url": "https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler" }, { "source_name": "Android WorkManager", "description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.", "url": "https://developer.android.com/topic/libraries/architecture/workmanager" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:18.936Z", "name": "Scheduled Task/Job", "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Lorin Wu, Trend Micro" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa", "created": "2019-10-30T15:37:55.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1540", "external_id": "T1540" }, { "source_name": "Fadeev Code Injection Aug 2018", "description": "Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019.", "url": "https://fadeevab.com/shared-library-injection-on-android-8/" }, { "source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" }, { "source_name": "Shunix Code Injection Mar 2016", "description": "Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019.", "url": "https://shunix.com/shared-library-injection-in-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:20.267Z", "name": "Code Injection", "description": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application\u2019s process.(Citation: Google Triada June 2019)\n", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "created": "2022-04-05T20:11:08.894Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1638", "external_id": "T1638" }, { "source_name": "mitd_checkpoint", "description": "Check Point Research Team. (2018, August 12). Man-in-the-Disk: A New Attack Surface for Android Apps. Retrieved October 31, 2023.", "url": "https://blog.checkpoint.com/security/man-in-the-disk-a-new-attack-surface-for-android-apps/" }, { "source_name": "mitd_kaspersky", "description": "Drozhzhin, A. (2018, August 27). Man-in-the-Disk: A new and dangerous way to hack Android. Retrieved October 31, 2023.", "url": "https://usa.kaspersky.com/blog/man-in-the-disk/16089/" }, { "source_name": "NSC_Android", "description": "Lee, A., Ramirez, T. (2018, August 15). A Security Analyst\u2019s Guide to Network Security Configuration in Android P . Retrieved February 7, 2024.", "url": "https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/" }, { "source_name": "mitd_checkpoint_research", "description": "Makkaveev, S. (2018, August 12). Man-in-the-Disk: Android Apps Exposed via External Storage. Retrieved October 31, 2023.", "url": "https://research.checkpoint.com/androids-man-in-the-disk/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", "external_id": "CEL-3" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", "external_id": "APP-0" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", "external_id": "APP-1" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html", "external_id": "APP-8" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-12.html", "external_id": "ECO-12" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:21.401Z", "name": "Adversary-in-the-Middle", "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic. \n\n\n Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.(Citation: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mitd_checkpoint_research) To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack. \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as [ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002) or [DHCP Spoofing](https://attack.mitre.org/techniques/T1557/003). \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple\u2019s Application Transport Security (ATS) and Android\u2019s Network Security Configuration (NSC) may prevent sensitive data leaks.(Citation: NSC_Android)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "created": "2022-04-01T15:54:05.633Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1626", "external_id": "T1626" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:21.493Z", "name": "Abuse Elevation Control Mechanism", "description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "created": "2023-09-25T19:53:07.406Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1663", "external_id": "T1663" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:21:44.009Z", "name": "Remote Access Software", "description": "Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices. \n\nRemote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d", "created": "2017-10-25T14:48:08.155Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1454", "external_id": "T1454" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-11-13T14:17:41.362Z", "name": "Malicious SMS Message", "description": "Test", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.3.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d", "created": "2017-10-25T14:48:18.237Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1470", "external_id": "T1470" }, { "source_name": "Elcomsoft-EPPB", "description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016.", "url": "https://www.elcomsoft.com/eppb.html" }, { "source_name": "Elcomsoft-WhatsApp", "description": "Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018.", "url": "https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html", "external_id": "ECO-0" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html", "external_id": "ECO-1" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:22.923Z", "name": "Obtain Device Cloud Backups", "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "remote-service-effects" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Without Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "created": "2022-03-30T19:31:31.855Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630/001", "external_id": "T1630.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", "external_id": "APP-43" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:23.278Z", "name": "Uninstall Malicious Application", "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "created": "2022-03-30T19:28:25.541Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630", "external_id": "T1630" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", "external_id": "APP-43" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:23.556Z", "name": "Indicator Removal on Host", "description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "iOS", "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474", "external_id": "T1474" }, { "source_name": "Grace-Advertisement", "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved November 17, 2024.", "url": "https://dl.acm.org/doi/10.1145/2185448.2185464" }, { "source_name": "NowSecure-RemoteCode", "description": "Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016.", "url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", "external_id": "APP-6" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html", "external_id": "SPC-0" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html", "external_id": "SPC-1" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html", "external_id": "SPC-2" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html", "external_id": "SPC-3" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", "external_id": "SPC-4" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html", "external_id": "SPC-5" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html", "external_id": "SPC-6" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html", "external_id": "SPC-7" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html", "external_id": "SPC-8" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html", "external_id": "SPC-9" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html", "external_id": "SPC-10" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html", "external_id": "SPC-11" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html", "external_id": "SPC-12" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html", "external_id": "SPC-13" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-14.html", "external_id": "SPC-14" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html", "external_id": "SPC-15" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html", "external_id": "SPC-16" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html", "external_id": "SPC-17" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html", "external_id": "SPC-18" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-19.html", "external_id": "SPC-19" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", "external_id": "SPC-20" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html", "external_id": "SPC-21" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:23.643Z", "name": "Supply Chain Compromise", "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "created": "2022-04-05T19:49:58.938Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1430/002", "external_id": "T1430.002" }, { "source_name": "3GPP-Security", "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.", "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf" }, { "source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" }, { "source_name": "CSRIC-WG1-FinalReport", "description": "CSRIC-WG1-FinalReport" }, { "source_name": "Positive-SS7", "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.", "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf" }, { "source_name": "Engel-SS7-2008", "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.", "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI" }, { "source_name": "Engel-SS7", "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.", "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", "external_id": "CEL-38" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:24.309Z", "name": "Impersonate SS7 Nodes", "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1" }, { "type": "attack-pattern", "id": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "created": "2023-07-12T20:45:14.704Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1655/001", "external_id": "T1655.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", "external_id": "APP-14" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:21:44.590Z", "name": "Match Legitimate Name or Location", "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). \n\nAdversaries may also use the same icon of the file or application they are trying to mimic.\n", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Ford Qin, Trend Micro", "Liran Ravich, CardinalOps" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799", "created": "2017-10-25T14:48:30.462Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1425", "external_id": "T1425" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:25.548Z", "name": "Insecure Third-Party Libraries", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "created": "2022-04-01T12:36:41.507Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636", "external_id": "T1636" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:25.642Z", "name": "Protected User Data", "description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application\u2019s manifest. On iOS, they must be included in the application\u2019s `Info.plist` file. \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user\u2019s knowledge or approval. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "created": "2022-04-05T20:15:43.636Z", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1521/002", "external_id": "T1521.002" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:26.898Z", "name": "Asymmetric Cryptography", "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "created": "2017-10-25T14:48:28.067Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1418", "external_id": "T1418" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", "external_id": "APP-12" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:27.789Z", "name": "Software Discovery", "description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "created": "2017-10-25T14:48:33.926Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1424", "external_id": "T1424" }, { "source_name": "Android-SELinuxChanges", "description": "Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.", "url": "https://code.google.com/p/android/issues/detail?id=205565" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:28.244Z", "name": "Process Discovery", "description": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "created": "2022-04-01T13:12:23.522Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/002", "external_id": "T1636.002" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:29.311Z", "name": "Call Log", "description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user\u2019s knowledge or approval. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "created": "2022-03-31T19:50:45.752Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1418/001", "external_id": "T1418.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", "external_id": "APP-12" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:29.485Z", "name": "Security Software Discovery", "description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2", "created": "2017-10-25T14:48:10.699Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1434", "external_id": "T1434" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:30.211Z", "name": "App Delivered via Email Attachment", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "created": "2022-03-30T19:05:17.048Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1631/001", "external_id": "T1631.001" }, { "source_name": "BH Linux Inject", "description": "Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.", "url": "https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf" }, { "source_name": "Medium Ptrace JUL 2018", "description": "Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.", "url": "https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be" }, { "source_name": "PTRACE man", "description": "Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.", "url": "http://man7.org/linux/man-pages/man2/ptrace.2.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:30.394Z", "name": "Ptrace System Calls", "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "created": "2022-04-01T18:42:22.117Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629", "external_id": "T1629" }, { "source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:30.589Z", "name": "Impair Defenses", "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "created": "2017-10-25T14:48:08.613Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1453", "external_id": "T1453" }, { "source_name": "Google_AndroidAcsOverview", "description": "Google. (n.d.). Android accessibility overview. Retrieved April 17, 2025.", "url": "https://support.google.com/accessibility/android/answer/6006564?hl=en&ref_topic=6007234&sjid=9936713164149272548-NA" }, { "source_name": "SahinSRLabs_FluBot_Dec2021", "description": "\u015eahin, Erdo\u011fan Ya\u011f\u0131z. (2021, December 21). When your phone gets sick: FluBot abuses Accessibility features to steal data. Retrieved April 16, 2025.", "url": "https://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-27T17:12:01.143Z", "name": "Abuse Accessibility Features", "description": "Adversaries may abuse accessibility features in Android devices to steal sensitive data and to spread malware to other devices. Accessibility features in Android are designed to assist users with disabilities, performing a variety of tasks, such as using Action Blocks to control lightbulbs, and changing the device\u2019s user interface, such as changing the font size and adjusting contract or colors.(Citation: Google_AndroidAcsOverview) \n\nOne example of how adversaries abuse accessibility features is overlaying an HTML object mimicking a legitimate login screen. The user types their credentials in the overlay HTML object, which is then sent to the adversaries.(Citation: SahinSRLabs_FluBot_Dec2021) \n\nAnother example is a malicious accessibility feature acting as a keylogger. The keylogger monitors changes on the EditText fields and sends it to the adversaries.(Citation: SahinSRLabs_FluBot_Dec2021) This method of attack is also described in [Keylogging](https://attack.mitre.org/techniques/T1417/001); whereas [Abuse Accessibility Features](https://attack.mitre.org/techniques/T1453) captures the overall abuse of accessibility features. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Luk\u00e1\u0161 \u0160tefanko, ESET", "Liran Ravich, CardinalOps" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "3.0" }, { "type": "attack-pattern", "id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "created": "2017-10-25T14:48:13.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1428", "external_id": "T1428" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html", "external_id": "APP-32" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:31.144Z", "name": "Exploitation of Remote Services", "description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device\u2019s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "created": "2022-04-01T19:06:27.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1437/001", "external_id": "T1437.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", "external_id": "APP-29" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:31.318Z", "name": "Web Protocols", "description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "created": "2022-04-01T15:12:50.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1635", "external_id": "T1635" }, { "source_name": "Android-AppLinks", "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", "url": "https://developer.android.com/training/app-links/index.html" }, { "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019", "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/" }, { "source_name": "Microsoft - OAuth Code Authorization flow - June 2019", "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow" }, { "source_name": "Microsoft Identity Platform Protocols May 2019", "description": "Microsoft. (n.d.). Retrieved September 12, 2019.", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols" }, { "source_name": "IETF-OAuthNativeApps", "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", "url": "https://tools.ietf.org/html/rfc8252" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:31.876Z", "name": "Steal Application Access Token", "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system \u201cOpen With\u201d dialogue. \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "created": "2022-04-11T20:05:56.069Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1628/002", "external_id": "T1628.002" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:32.337Z", "name": "User Evasion", "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "created": "2022-03-30T17:51:29.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1633", "external_id": "T1633" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:32.877Z", "name": "Virtualization/Sandbox Evasion", "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38", "created": "2020-06-24T17:33:49.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1579", "external_id": "T1579" }, { "source_name": "Apple Keychain Services", "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020.", "url": "https://developer.apple.com/documentation/security/keychain_services" }, { "source_name": "Elcomsoft Decrypt Keychain", "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020.", "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", "external_id": "AUT-11" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:32.963Z", "name": "Keychain", "description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "modified": "2023-09-28T15:36:11.282Z", "name": "Application Versioning", "description": "An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.(Citation: android_app_breaking_bad)\n\nThis technique could also be accomplished by compromising a developer\u2019s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_contributors": [ "Edward Stevens, BT Security", "Adam Lichters" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "created": "2023-09-21T22:16:38.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1661", "external_id": "T1661" }, { "source_name": "android_app_breaking_bad", "description": "Stefanko, L. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved August 28, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", "external_id": "SPC-20" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "attack-pattern", "id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3", "created": "2017-10-25T14:48:17.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1413", "external_id": "T1413" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html", "external_id": "APP-3" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:36.939Z", "name": "Access Sensitive Data in Device Logs", "description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "created": "2022-03-30T13:40:37.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1623", "external_id": "T1623" }, { "source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:33.677Z", "name": "Command and Scripting Interpreter", "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java\u2019s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "created": "2022-04-01T18:51:13.963Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629/003", "external_id": "T1629.003" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:33.763Z", "name": "Disable or Modify Tools", "description": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "created": "2020-01-21T15:27:30.182Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1544", "external_id": "T1544" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:34.355Z", "name": "Ingress Tool Transfer", "description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", "created": "2022-04-05T19:57:15.734Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1637", "external_id": "T1637" }, { "source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:34.706Z", "name": "Dynamic Resolution", "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1477", "external_id": "T1477" }, { "source_name": "Forbes-iPhoneSMS", "description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016.", "url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html" }, { "source_name": "Register-BaseStation", "description": "D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016.", "url": "http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/" }, { "source_name": "ProjectZero-BroadcomWiFi", "description": "Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018.", "url": "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html" }, { "source_name": "Weinmann-Baseband", "description": "R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016.", "url": "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf" }, { "source_name": "SRLabs-SIMCard", "description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016.", "url": "https://srlabs.de/bites/rooting-sim-cards/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:37.121Z", "name": "Exploit via Radio Interfaces", "description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790", "created": "2017-10-25T14:48:26.890Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1423", "external_id": "T1423" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:35.175Z", "name": "Network Service Scanning", "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", "created": "2021-09-30T18:18:52.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1618", "external_id": "T1618" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:35.718Z", "name": "User Evasion", "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "created": "2022-04-01T15:43:45.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1646", "external_id": "T1646" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", "external_id": "APP-29" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:36.720Z", "name": "Exfiltration Over C2 Channel", "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "exfiltration" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747", "created": "2025-09-17T14:58:52.520Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/005", "external_id": "T1636.005" }, { "source_name": "Android_AccountManager_Feb2025", "description": "Android. (2025, February 13). AccountManager. Retrieved September 2, 2025.", "url": "https://developer.android.com/reference/android/accounts/AccountManager" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-17T15:21:58.225Z", "name": "Accounts", "description": "Adversaries may utilize standard operating system APIs to gather account data. On Android, this can be accomplished by using the AccountManager API. For example, adversaries may use the `getAccounts()` method to list all accounts.(Citation: Android_AccountManager_Feb2025) On iOS, this can be accomplished by using the Keychain services. \n\nIf the device has been jailbroken or rooted, adversaries may be able to access [Accounts](https://attack.mitre.org/techniques/T1636/005) without the users\u2019 knowledge or approval. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Google's Android Security team" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "created": "2017-10-25T14:48:29.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1404", "external_id": "T1404" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", "external_id": "APP-26" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:38.088Z", "name": "Exploitation for Privilege Escalation", "description": "Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "created": "2021-09-20T13:42:20.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1616", "external_id": "T1616" }, { "source_name": "Android Permissions", "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", "url": "https://developer.android.com/reference/android/Manifest.permission" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html", "external_id": "APP-41" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html", "external_id": "CEL-42" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html", "external_id": "CEL-36" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html", "external_id": "CEL-18" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:38.183Z", "name": "Call Control", "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Gaetan van Diemen, ThreatFabric" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "created": "2022-04-06T13:22:57.683Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1639/001", "external_id": "T1639.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", "external_id": "APP-30" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:38.977Z", "name": "Exfiltration Over Unencrypted Non-C2 Protocol", "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "exfiltration" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "created": "2022-03-30T14:41:00.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1624/001", "external_id": "T1624.001" }, { "source_name": "Android Changes to System Broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:39.155Z", "name": "Broadcast Receivers", "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Alex Hinchliffe, Palo Alto Networks" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad", "created": "2017-10-25T14:48:16.650Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1436", "external_id": "T1436" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:37.510Z", "name": "Commonly Used Port", "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. \n\nThey may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "exfiltration" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796", "created": "2017-10-25T14:48:26.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1439", "external_id": "T1439" }, { "source_name": "mHealth", "description": "D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016.", "url": "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", "external_id": "APP-0" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", "external_id": "APP-1" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:37.686Z", "name": "Eavesdrop on Insecure Network Communication", "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Without Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "created": "2019-09-15T15:26:08.183Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1517", "external_id": "T1517" }, { "source_name": "ESET 2FA Bypass", "description": "Luk\u00e1\u0161 \u0160tefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019.", "url": "https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:40.140Z", "name": "Access Notifications", "description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9", "created": "2017-10-25T14:48:14.982Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1410", "external_id": "T1410" }, { "source_name": "Skycure-Profiles", "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016.", "url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:40.404Z", "name": "Network Traffic Capture or Redirection", "description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "created": "2017-10-25T14:48:34.407Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1411", "external_id": "T1411" }, { "source_name": "Felt-PhishingOnMobileDevices", "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.", "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf" }, { "source_name": "Android Background", "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.", "url": "https://developer.android.com/guide/components/activities/background-starts" }, { "source_name": "Android-getRunningTasks", "description": "Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017.", "url": "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29" }, { "source_name": "Cloak and Dagger", "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019.", "url": "http://cloak-and-dagger.org/" }, { "source_name": "Group IB Gustuff Mar 2019", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", "url": "https://www.group-ib.com/blog/gustuff" }, { "source_name": "eset-finance", "description": "Luk\u00e1\u0161 \u0160tefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.", "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/" }, { "source_name": "Hassell-ExploitingAndroid", "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.", "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf" }, { "source_name": "XDA Bubbles", "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.", "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/" }, { "source_name": "NowSecure Android Overlay", "description": "Ramirez, T.. (2017, May 25). \u2018SAW\u2019-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.", "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/" }, { "source_name": "ThreatFabric Cerberus", "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" }, { "source_name": "StackOverflow-getRunningAppProcesses", "description": "Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017.", "url": "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag" }, { "source_name": "Skycure-Accessibility", "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.", "url": "https://www.skycure.com/blog/accessibility-clickjacking/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:41.397Z", "name": "Input Prompt", "description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", "created": "2022-04-06T13:19:33.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1639", "external_id": "T1639" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", "external_id": "APP-30" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:41.491Z", "name": "Exfiltration Over Alternative Protocol", "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "exfiltration" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "modified": "2024-02-20T23:39:08.047Z", "name": "Internet Connection Discovery", "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using `adb shell netstat` for Android.(Citation: adb_commands)\n\nAdversaries may use the results and responses from these requests to determine if the mobile devices are capable of communicating with adversary-owned C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "type": "attack-pattern", "id": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "created": "2024-02-20T23:39:08.047Z", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1422/001", "external_id": "T1422.001" }, { "source_name": "adb_commands", "description": "Pulimet. (2017, September 11). AdbCommands. Retrieved December 14, 2023.", "url": "https://gist.github.com/Pulimet/5013acf2cd5b28e55036c82c91bd56d8" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "attack-pattern", "id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09", "created": "2017-10-25T14:48:24.069Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1460", "external_id": "T1460" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:43.592Z", "name": "Biometric Spoofing", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "created": "2017-10-25T14:48:31.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1398", "external_id": "T1398" }, { "source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", "external_id": "APP-26" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:43.758Z", "name": "Boot or Logon Initialization Scripts", "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "created": "2022-03-30T20:31:16.624Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1627", "external_id": "T1627" }, { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:44.210Z", "name": "Execution Guardrails", "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "created": "2022-04-05T19:48:31.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1417/002", "external_id": "T1417.002" }, { "source_name": "Felt-PhishingOnMobileDevices", "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.", "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf" }, { "source_name": "Android Background", "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.", "url": "https://developer.android.com/guide/components/activities/background-starts" }, { "source_name": "Cloak and Dagger", "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 12, 2024.", "url": "https://cloak-and-dagger.org/" }, { "source_name": "Group IB Gustuff Mar 2019", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", "url": "https://www.group-ib.com/blog/gustuff" }, { "source_name": "eset-finance", "description": "Luk\u00e1\u0161 \u0160tefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.", "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/" }, { "source_name": "Hassell-ExploitingAndroid", "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.", "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf" }, { "source_name": "XDA Bubbles", "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.", "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/" }, { "source_name": "NowSecure Android Overlay", "description": "Ramirez, T.. (2017, May 25). \u2018SAW\u2019-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.", "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/" }, { "source_name": "ThreatFabric Cerberus", "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" }, { "source_name": "Skycure-Accessibility", "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:45.045Z", "name": "GUI Input Capture", "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", "created": "2017-10-25T14:48:11.535Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1432", "external_id": "T1432" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:45.330Z", "name": "Access Contact List", "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "created": "2022-03-30T19:53:27.791Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1645", "external_id": "T1645" }, { "source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:45.611Z", "name": "Compromise Client Software Binary", "description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "created": "2022-03-30T19:20:37.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1406/002", "external_id": "T1406.002" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:46.514Z", "name": "Software Packing", "description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", "created": "2017-10-25T14:48:16.288Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1445", "external_id": "T1445" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:46.777Z", "name": "Abuse of iOS Enterprise App Signing Key", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5", "created": "2017-10-25T14:48:09.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1450", "external_id": "T1450" }, { "source_name": "3GPP-Security", "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.", "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf" }, { "source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" }, { "source_name": "CSRIC-WG1-FinalReport", "description": "CSRIC-WG1-FinalReport" }, { "source_name": "Positive-SS7", "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.", "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf" }, { "source_name": "Engel-SS7-2008", "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.", "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI" }, { "source_name": "Engel-SS7", "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.", "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", "external_id": "CEL-38" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:47.128Z", "name": "Exploit SS7 to Track Device Location", "description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Without Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "created": "2020-04-28T14:35:37.309Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1575", "external_id": "T1575" }, { "source_name": "Google NDK Getting Started", "description": "Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020.", "url": "https://developer.android.com/ndk/guides" }, { "source_name": "MITRE App Vetting Effectiveness", "description": "M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020.", "url": "https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:47.482Z", "name": "Native API", "description": "Adversaries may use Android\u2019s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "2.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1476", "external_id": "T1476" }, { "source_name": "IBTimes-ThirdParty", "description": "A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018.", "url": "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861" }, { "source_name": "TrendMicro-RootingMalware", "description": "Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/" }, { "source_name": "android-trojan-steals-paypal-2fa", "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" }, { "source_name": "TrendMicro-FlappyBird", "description": "Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", "external_id": "AUT-9" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html", "external_id": "ECO-13" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html", "external_id": "ECO-21" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:47.664Z", "name": "Deliver Malicious App via Other Means", "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067", "created": "2017-10-25T14:48:07.827Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1469", "external_id": "T1469" }, { "source_name": "Honan-Hacking", "description": "Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016.", "url": "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", "external_id": "ECO-5" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", "external_id": "EMM-7" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:47.844Z", "name": "Remotely Wipe Data Without Authorization", "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "remote-service-effects" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Without Adversary Device Access" ] }, { "modified": "2023-09-28T17:02:58.893Z", "name": "Exploitation for Client Execution", "description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. \n\nAdversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution. \n\n### SMS/iMessage Delivery \n\nSMS and iMessage in iOS are common targets through [Drive-By Compromise](https://attack.mitre.org/techniques/T1456), [Phishing](https://attack.mitre.org/techniques/T1660), etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required. \n\n### AirDrop \n\nUnique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" } ], "x_mitre_contributors": [ "Giorgi Gurgenidze, ISAC" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "created": "2023-08-23T22:13:27.313Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1658", "external_id": "T1658" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "attack-pattern", "id": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "created": "2020-11-30T14:26:07.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1604", "external_id": "T1604" }, { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:50.301Z", "name": "Proxy Through Victim", "description": "Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary\u2019s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)\n\nThe most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de", "created": "2019-09-23T13:11:43.694Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1520", "external_id": "T1520" }, { "source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" }, { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:50.736Z", "name": "Domain Generation Algorithms", "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb", "created": "2017-10-25T14:48:20.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1435", "external_id": "T1435" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:51.462Z", "name": "Access Calendar Entries", "description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3", "created": "2017-10-25T14:48:21.354Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1465", "external_id": "T1465" }, { "source_name": "Kaspersky-DarkHotel", "description": "Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016.", "url": "https://blog.kaspersky.com/darkhotel-apt/6613/" }, { "source_name": "NIST-SP800153", "description": "M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016.", "url": "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html", "external_id": "LPN-0" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:39.717Z", "name": "Rogue Wi-Fi Access Points", "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Without Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "created": "2019-11-19T17:32:20.373Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1541", "external_id": "T1541" }, { "source_name": "Android-SensorsOverview", "description": "Google. (n.d.). Sensors Overview. Retrieved November 19, 2019.", "url": "https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices" }, { "source_name": "Android-ForegroundServices", "description": "Google. (n.d.). Services overview. Retrieved November 19, 2019.", "url": "https://developer.android.com/guide/components/services.html#Foreground" }, { "source_name": "TrendMicro-Yellow Camera", "description": "Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/" }, { "source_name": "BlackHat Sutter Android Foreground 2019", "description": "Thomas Sutter. (2019, December). Simple Spyware Androids Invisible Foreground Services and How to (Ab)use Them. Retrieved December 26, 2019.", "url": "https://i.blackhat.com/eu-19/Thursday/eu-19-Sutter-Simple-Spyware-Androids-Invisible-Foreground-Services-And-How-To-Abuse-Them.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", "external_id": "APP-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:52.197Z", "name": "Foreground Persistence", "description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android\u2019s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device\u2019s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Lorin Wu, Trend Micro" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "modified": "2024-11-17T13:26:29.167Z", "name": "Replication Through Removable Media", "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "lateral-movement" } ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "created": "2017-10-25T14:48:23.233Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1458", "external_id": "T1458" }, { "source_name": "Krebs-JuiceJacking", "description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.", "url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/" }, { "source_name": "GoogleProjectZero-OATmeal", "description": "Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018.", "url": "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html" }, { "source_name": "Lau-Mactans", "description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016.", "url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf" }, { "source_name": "Computerworld-iPhoneCracking", "description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology \u2013 and police are buying. Retrieved November 17, 2024.", "url": "https://www.techcentral.ie/two-vendors-now-sell-iphone-cracking-technology-police-buying/" }, { "source_name": "IBM-NexusUSB", "description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.", "url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html", "external_id": "PHY-1" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", "external_id": "PHY-2" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html", "external_id": "STA-6" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "attack-pattern", "id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "created": "2017-10-25T14:48:12.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1429", "external_id": "T1429" }, { "source_name": "Manifest.permission", "description": "Android Developers. (2022, March 17). Voice Call. Retrieved April 1, 2022.", "url": "https://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL" }, { "source_name": "Requesting Auth-Media Capture", "description": "Apple Developers. (n.d.). Requesting Authorization for Media Capture on iOS. Retrieved April 1, 2022.", "url": "https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios" }, { "source_name": "Android Permissions", "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", "url": "https://developer.android.com/reference/android/Manifest.permission" }, { "source_name": "Android Privacy Indicators", "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.", "url": "https://source.android.com/devices/tech/config/privacy-indicators" }, { "source_name": "iOS Mic Spyware", "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.", "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", "external_id": "APP-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:52.833Z", "name": "Audio Capture", "description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user. \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "3.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "created": "2022-03-30T14:49:18.650Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1625", "external_id": "T1625" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:53.101Z", "name": "Hijack Execution Flow", "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "created": "2022-03-30T13:59:50.479Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1623/001", "external_id": "T1623.001" }, { "source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:54.078Z", "name": "Unix Shell", "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "created": "2017-10-25T14:48:33.158Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1437", "external_id": "T1437" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", "external_id": "APP-29" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:54.576Z", "name": "Application Layer Protocol", "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2", "created": "2017-10-25T14:48:11.861Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1431", "external_id": "T1431" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:55.097Z", "name": "App Delivered via Web Download", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "created": "2017-10-25T14:48:14.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1407", "external_id": "T1407" }, { "source_name": "FireEye-JSPatch", "description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", "external_id": "APP-20" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:55.445Z", "name": "Download New Code at Runtime", "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.5", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "modified": "2025-02-27T22:56:19.681Z", "name": "Exploitation for Initial Access", "description": "Adversaries may exploit software vulnerabilities to gain initial access to a mobile device. \n\nThis can be accomplished in a variety of ways. Vulnerabilities may be present in the applications, the services, the underlying operating system, or the kernel itself. Several well-known mobile device exploits exist, including FORCEDENTRY, StageFright, and BlueBorne. Furthermore, some exploits may be possible to exploit without any user interaction (i.e. zero-click exploits, see [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1658)), making them particularly dangerous. Mobile operating system vendors are typically very quick to patch such critical bugs, ensuring only a small window where they can be exploited. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "type": "attack-pattern", "id": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "created": "2023-12-05T22:14:54.813Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1664", "external_id": "T1664" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "attack-pattern", "id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a", "created": "2017-10-25T14:48:21.023Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1468", "external_id": "T1468" }, { "source_name": "Krebs-Location", "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.", "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", "external_id": "ECO-5" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", "external_id": "EMM-7" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:55.981Z", "name": "Remotely Track Device Without Authorization", "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "remote-service-effects" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Without Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "created": "2022-03-30T17:53:35.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1633/001", "external_id": "T1633.001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:56.336Z", "name": "System Checks", "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "created": "2017-10-25T14:48:15.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1409", "external_id": "T1409" }, { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html", "external_id": "AUT-0" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:56.509Z", "name": "Stored Application Data", "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "3.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "created": "2019-08-08T18:34:14.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1513", "external_id": "T1513" }, { "source_name": "Android ScreenCap2 2019", "description": "Android Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019.", "url": "https://developer.android.com/studio/command-line/adb" }, { "source_name": "Android ScreenCap1 2019", "description": "Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019.", "url": "https://developer.android.com/reference/android/media/projection/MediaProjectionManager" }, { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" }, { "source_name": "Fortinet screencap July 2019", "description": "Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019.", "url": "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html" }, { "source_name": "Trend Micro ScreenCap July 2015", "description": "Zhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html", "external_id": "APP-40" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:57.610Z", "name": "Screen Capture", "description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.3", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "created": "2022-04-06T13:39:39.779Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1641/001", "external_id": "T1641.001" }, { "source_name": "ESET Clipboard Modification February 2019", "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.", "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:57.794Z", "name": "Transmitted Data Manipulation", "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69", "created": "2017-10-25T14:48:07.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1452", "external_id": "T1452" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:40.278Z", "name": "Manipulate App Store Rankings or Ratings", "description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58", "created": "2017-10-25T14:48:32.008Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1416", "external_id": "T1416" }, { "source_name": "Trend Micro iOS URL Hijacking", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/" }, { "source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:58.596Z", "name": "URI Hijacking", "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "created": "2022-03-28T19:31:51.978Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474/001", "external_id": "T1474.001" }, { "source_name": "Grace-Advertisement", "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved November 17, 2024.", "url": "https://dl.acm.org/doi/10.1145/2185448.2185464" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", "external_id": "APP-6" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html", "external_id": "SPC-0" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html", "external_id": "SPC-3" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html", "external_id": "SPC-9" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html", "external_id": "SPC-10" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html", "external_id": "SPC-15" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:58.857Z", "name": "Compromise Software Dependencies and Development Tools", "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b", "created": "2019-10-02T14:46:43.632Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1523", "external_id": "T1523" }, { "source_name": "Sophos Anti-emulation", "description": "Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019.", "url": "https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/" }, { "source_name": "Xiao-ZergHelper", "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/" }, { "source_name": "Cyberscoop Evade Analysis January 2019", "description": "Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019.", "url": "https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/" }, { "source_name": "ThreatFabric Cerberus", "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" }, { "source_name": "Github Anti-emulator", "description": "Tim Strazzere. (n.d.). Android Anti-Emulator. Retrieved October 2, 2019.", "url": "https://github.com/strazzere/anti-emulator" }, { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:58.965Z", "name": "Evade Analysis Environment", "description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "created": "2022-04-01T15:15:35.640Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1635/001", "external_id": "T1635.001" }, { "source_name": "Android-AppLinks", "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", "url": "https://developer.android.com/training/app-links/index.html" }, { "source_name": "Trend Micro iOS URL Hijacking", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", "url": "https://web.archive.org/web/20211023221110/https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/" }, { "source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636" }, { "source_name": "IETF-OAuthNativeApps", "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", "url": "https://tools.ietf.org/html/rfc8252" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:59.057Z", "name": "URI Hijacking", "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Leo Zhang, Trend Micro", "Steven Du, Trend Micro" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "created": "2022-03-30T18:05:46.795Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1632", "external_id": "T1632" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", "external_id": "STA-7" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:59.522Z", "name": "Subvert Trust Controls", "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44", "created": "2017-10-25T14:48:11.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1433", "external_id": "T1433" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:48:59.691Z", "name": "Access Call Log", "description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31", "created": "2020-09-11T15:04:14.532Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1581", "external_id": "T1581" }, { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" }, { "source_name": "Apple Location Services", "description": "Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020.", "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services" }, { "source_name": "Android Geofencing API", "description": "Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020.", "url": "https://developer.android.com/training/location/geofencing" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:02.464Z", "name": "Geofencing", "description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \u201cAllow only while using the app\u201d, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483", "created": "2017-10-25T14:48:29.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1401", "external_id": "T1401" }, { "source_name": "Android DeviceAdminInfo", "description": "Google. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020.", "url": "https://developer.android.com/reference/android/app/admin/DeviceAdminInfo" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:02.729Z", "name": "Device Administrator Permissions", "description": "Adversaries may request device administrator permissions to perform malicious actions.\n\nBy abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device\u2019s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "2.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16", "created": "2017-10-25T14:48:34.830Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1443", "external_id": "T1443" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:02.916Z", "name": "Remotely Install Application", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "created": "2022-04-01T15:01:32.169Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1634/001", "external_id": "T1634.001" }, { "source_name": "Apple Keychain Services", "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020.", "url": "https://developer.apple.com/documentation/security/keychain_services" }, { "source_name": "Elcomsoft Decrypt Keychain", "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020.", "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", "external_id": "AUT-11" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:03.949Z", "name": "Keychain", "description": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6", "created": "2017-10-25T14:48:29.092Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1403", "external_id": "T1403" }, { "source_name": "Sabanal-ART", "description": "Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016.", "url": "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:04.473Z", "name": "Modify Cached Executable Code", "description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05", "created": "2017-10-25T14:48:28.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1419", "external_id": "T1419" }, { "source_name": "Android-Build", "description": "Android. (n.d.). Build. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/android/os/Build" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-08T16:32:57.531Z", "name": "Device Type Discovery", "description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.3.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5", "created": "2020-05-04T13:49:34.706Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1576", "external_id": "T1576" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", "external_id": "APP-43" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:41.929Z", "name": "Uninstall Malicious Application", "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:\n\n* Abusing device owner permissions to perform silent uninstallation using device owner API calls.\n* Abusing root permissions to delete files from the filesystem.\n* Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "modified": "2025-03-14T17:56:26.095Z", "name": "Virtualization Solution", "description": "Adversaries may carry out malicious operations using virtualization solutions to escape from Android sandboxes and to avoid detection. Android uses sandboxes to separate resources and code execution between applications and the operating system.(Citation: Android Application Sandbox) There are a few virtualization solutions available on Android, such as the Android Virtualization Framework (AVF).(Citation: Android AVF Overview) \n\n \n\nThrough virtualization solutions, adversaries may execute malicious operations without user knowledge. For example, adversaries may mimic a legitimate banking application\u2019s functionalities in a virtual environment, thanks to the virtualization solution, while malicious code captures credentials. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_contributors": [ "Liran Ravich, CardinalOps" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "type": "attack-pattern", "id": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a", "created": "2025-03-14T17:56:26.095Z", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1670", "external_id": "T1670" }, { "source_name": "Android AVF Overview", "description": "Android Open Source Project. (n.d.). Android Virtualization Framework (AVF) overview. Retrieved February 26, 2025.", "url": "https://source.android.com/docs/core/virtualization" }, { "source_name": "Android Application Sandbox", "description": "Android Open Source Project. (n.d.). Application Sandbox. Retrieved February 26, 2025.", "url": "https://source.android.com/docs/security/app-sandbox" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "attack-pattern", "id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f", "created": "2017-10-25T14:48:31.694Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1447", "external_id": "T1447" }, { "source_name": "Android DevicePolicyManager 2019", "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:05.463Z", "name": "Delete Device Data", "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "created": "2017-10-25T14:48:09.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1448", "external_id": "T1448" }, { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" }, { "source_name": "AndroidSecurity2014", "description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016.", "url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:05.648Z", "name": "Carrier Billing Fraud", "description": "A malicious app may trigger fraudulent charges on a victim\u2019s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.\n\nPerforming SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)\n\nMalicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "2.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", "created": "2017-10-25T14:48:17.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1415", "external_id": "T1415" }, { "source_name": "FireEye-Masque2", "description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html" }, { "source_name": "MobileIron-XARA", "description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.", "url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures" }, { "source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636" }, { "source_name": "Dhanjani-URLScheme", "description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.", "url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html", "external_id": "AUT-10" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-08T16:36:02.126Z", "name": "URL Scheme Hijacking", "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.3.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "created": "2022-04-06T15:47:06.071Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481/002", "external_id": "T1481.002" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:06.929Z", "name": "Bidirectional Communication", "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "created": "2019-08-01T13:44:09.368Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1509", "external_id": "T1509" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:07.116Z", "name": "Non-Standard Port", "description": "Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "created": "2022-03-28T19:25:17.596Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474/003", "external_id": "T1474.003" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", "external_id": "SPC-4" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html", "external_id": "SPC-11" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html", "external_id": "SPC-12" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html", "external_id": "SPC-18" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", "external_id": "SPC-20" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:07.487Z", "name": "Compromise Software Supply Chain", "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "created": "2022-04-06T15:41:03.914Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481/001", "external_id": "T1481.001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:07.948Z", "name": "Dead Drop Resolver", "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "created": "2017-10-25T14:48:12.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1430", "external_id": "T1430" }, { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" }, { "source_name": "Android Request Location Permissions", "description": "Android Developers. (2022, March 24). Request Location Permissions. Retrieved April 1, 2022.", "url": "https://developer.android.com/training/location/permissions" }, { "source_name": "Apple Requesting Authorization for Location Services", "description": "Apple Developers. (n.d.). Requesting Authorization for Location Services. Retrieved April 1, 2022.", "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services" }, { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" }, { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html", "external_id": "APP-24" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:08.214Z", "name": "Location Tracking", "description": "Adversaries may track a device\u2019s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device\u2019s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application\u2019s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "created": "2022-04-01T15:59:05.830Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1626/001", "external_id": "T1626.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:08.587Z", "name": "Device Administrator Permissions", "description": "Adversaries may abuse Android\u2019s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device\u2019s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1", "created": "2017-10-25T14:48:17.886Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1446", "external_id": "T1446" }, { "source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" }, { "source_name": "Android resetPassword", "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html", "external_id": "APP-28" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:09.025Z", "name": "Device Lockout", "description": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "created": "2022-04-05T19:37:15.984Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1430/001", "external_id": "T1430.001" }, { "source_name": "Krebs-Location", "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.", "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", "external_id": "ECO-5" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", "external_id": "EMM-7" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:09.660Z", "name": "Remote Device Management Services", "description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "modified": "2023-09-27T21:09:27.288Z", "name": "Data Destruction", "description": "Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. \n\nTo achieve data destruction, adversaries may use the `pm uninstall` command to uninstall packages or the `rm` command to remove specific files. For example, adversaries may first use `pm uninstall` to uninstall non-system apps, and then use `rm (-f) ` to delete specific files, further hiding malicious activity.(Citation: rootnik_rooting_tool)(Citation: abuse_native_linux_tools)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_contributors": [ "Liran Ravich, CardinalOps" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "created": "2023-09-22T19:09:15.698Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1662", "external_id": "T1662" }, { "source_name": "rootnik_rooting_tool", "description": "Hu, W., et al. (2015, December 4). Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information. Retrieved September 26, 2023.", "url": "https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/" }, { "source_name": "abuse_native_linux_tools", "description": "Surana, N., et al. (2022, September 8). How Malicious Actors Abuse Native Linux Tools in Attacks. Retrieved September 26, 2023.", "url": "https://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "attack-pattern", "id": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300", "created": "2017-10-25T14:48:13.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1427", "external_id": "T1427" }, { "source_name": "ArsTechnica-PoisonTap", "description": "Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016.", "url": "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/" }, { "source_name": "Wang-ExploitingUSB", "description": "Z. Wang and A. Stavrou. (2010, December 6-10). Exploiting smart-phone USB connectivity for fun and profit. Retrieved December 22, 2016.", "url": "http://dl.acm.org/citation.cfm?id=1920314" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", "external_id": "PHY-2" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:42.856Z", "name": "Attack PC via USB Connection", "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760", "created": "2025-05-19T18:24:54.985Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1676", "external_id": "T1676" }, { "source_name": "Signal_LinkedDevices_NoDate", "description": "Signal. (n.d.). Linked Devices. Retrieved May 9, 2025.", "url": "https://support.signal.org/hc/en-us/articles/360007320551-Linked-Devices" }, { "source_name": "WhatsApp_LinkDevice_NoDate", "description": "WhatsApp. (n.d.). How to link a device. Retrieved May 9, 2025.", "url": "https://faq.whatsapp.com/1317564962315842/?helpref=faq_content&cms_platform=web" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-05-19T20:03:02.656Z", "name": "Linked Devices", "description": "Adversaries may abuse the \u201clinked devices\u201d feature on messaging applications, such as Signal and WhatsApp, to register the user\u2019s account to an adversary-controlled device. By abusing the \u201clinked devices\u201d feature, adversaries may achieve and maintain persistence through the user\u2019s account, may collect information, such as the user\u2019s messages and contacts list, and may send future messages from the linked device.\n\nSignal is a messaging application that uses the open-source Signal Protocol to encrypt messages and calls; similarly, WhatsApp is a messaging application that has end-to-end encryption and other security measures to protect messages and calls. Both applications have a \u201clinked devices\u201d feature that allows users to access their Signal and/or WhatsApp accounts from different devices, such as a Windows or Mac desktop, an iPad or an Android tablet.(Citation: WhatsApp_LinkDevice_NoDate)(Citation: Signal_LinkedDevices_NoDate)\n\nAdversaries may use [Phishing](https://attack.mitre.org/techniques/T1660) techniques to trick the user into scanning a quick-response (QR) code, which is used to link the user\u2019s Signal and/or WhatsApp account to an adversary-controlled device. For example, adversaries may masquerade QR codes as group invites, security alerts or as legitimate instructions for pairing linked devices. \nUpon scanning the QR code in Signal, users may click on the \u201cTransfer Message History\u201d option to sync the linked devices, which may allow adversaries to collect more information about the user. Upon scanning the QR code in WhatsApp, the user\u2019s device will automatically send an end-to-end encrypted copy of recent message history to the adversary-controlled device. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Giorgi Gurgenidze, GITAC" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881", "created": "2017-10-25T14:48:05.928Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1441", "external_id": "T1441" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:10.732Z", "name": "Stolen Developer Credentials or Signing Keys", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed", "created": "2017-10-25T14:48:22.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1467", "external_id": "T1467" }, { "source_name": "Computerworld-Femtocell", "description": "Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016.", "url": "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", "external_id": "CEL-7" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:43.216Z", "name": "Rogue Cellular Base Station", "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Without Adversary Device Access" ] }, { "modified": "2025-02-12T16:26:38.632Z", "name": "SIM Card Swap", "description": "Adversaries may gain access to mobile devices through transfers or swaps from victims\u2019 phone numbers to adversary-controlled SIM cards and mobile devices.(Citation: ATT SIM Swap Scams)(Citation: Verizon SIM Swapping) \n\nThe typical process is as follows: \n\n1. Adversaries will first gather information about victims through [Phishing](https://attack.mitre.org/techniques/T1660), social engineering, data breaches, or other avenues. \n2. Adversaries will then impersonate victims as they contact mobile carriers to request for the SIM swaps. For example, adversaries would provide victims\u2019 name and address to mobile carriers; once authenticated, adversaries would request for victims\u2019 phone numbers to be transferred to adversary-controlled SIM cards. \n3. Once completed, victims will lose mobile data, such as text messages and phone calls, on their mobile devices. In turn, adversaries will receive mobile data that was intended for the victims. \n\nAdversaries may use the intercepted SMS messages to log into online accounts that use SMS-based authentication. Specifically, adversaries may use SMS-based authentication to log into banking and/or cryptocurrency accounts, then transfer funds to adversary-controlled wallets. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_contributors": [ "Karim Hasanen, @_karimhasanen", "Jennifer Kim Roman" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.0", "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "created": "2017-10-25T14:48:20.329Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1451", "external_id": "T1451" }, { "source_name": "ATT SIM Swap Scams", "description": "AT&T. (n.d.). UPDATE: Secure Your Number to Reduce SIM Swap Scams. Retrieved January 27, 2025.", "url": "https://www.research.att.com/sites/cyberaware/ni/blog/sim_swap.html" }, { "source_name": "Verizon SIM Swapping", "description": "Verizon. (n.d.). SIM Swapping. Retrieved January 27, 2025.", "url": "https://www.verizon.com/about/account-security/sim-swapping" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html", "external_id": "STA-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "attack-pattern", "id": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "created": "2017-10-25T14:48:27.660Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1417", "external_id": "T1417" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html", "external_id": "AUT-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:11.864Z", "name": "Input Capture", "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.3", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "created": "2022-04-06T13:55:14.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1643", "external_id": "T1643" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html", "external_id": "APP-16" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:12.043Z", "name": "Generate Traffic from Victim", "description": "Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.\n\nIf done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "created": "2022-04-08T16:29:30.087Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630/003", "external_id": "T1630.003" }, { "source_name": "Brodie", "description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.", "url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf" }, { "source_name": "Rastogi", "description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.", "url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf" }, { "source_name": "Tan", "description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.", "url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", "external_id": "EMM-5" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:12.130Z", "name": "Disguise Root/Jailbreak Indicators", "description": "An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f", "created": "2017-10-25T14:48:35.247Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1444", "external_id": "T1444" }, { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" }, { "source_name": "Zhou", "description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.", "url": "http://ieeexplore.ieee.org/document/6234407" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", "external_id": "APP-14" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:12.301Z", "name": "Masquerade as Legitimate Application", "description": "An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.\n\nEmbedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.\n\nPretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)\n\nMalicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Alex Hinchliffe, Palo Alto Networks" ], "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431", "created": "2017-10-25T14:48:19.682Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1457", "external_id": "T1457" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:12.390Z", "name": "Malicious Media Content", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "created": "2022-04-01T12:48:27.021Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/001", "external_id": "T1636.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:12.650Z", "name": "Calendar Entries", "description": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user\u2019s knowledge or approval. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1" }, { "type": "attack-pattern", "id": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "created": "2022-03-30T19:36:09.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630/002", "external_id": "T1630.002" }, { "source_name": "Android DevicePolicyManager 2019", "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:12.849Z", "name": "File Deletion", "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "created": "2022-04-01T18:49:03.892Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629/002", "external_id": "T1629.002" }, { "source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" }, { "source_name": "Android resetPassword", "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)" }, { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" }, { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:13.285Z", "name": "Device Lockout", "description": "An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted \u201ccall\u201d notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)\n\nPrior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device\u2019s passcode.(Citation: Android resetPassword)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "created": "2022-04-05T19:45:03.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1417/001", "external_id": "T1417.001" }, { "source_name": "Zeltser-Keyboard", "description": "Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016.", "url": "https://zeltser.com/third-party-keyboards-security/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html", "external_id": "AUT-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:14.276Z", "name": "Keylogging", "description": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "created": "2020-09-11T15:14:33.730Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1582", "external_id": "T1582" }, { "source_name": "Android SmsProvider", "description": "Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020.", "url": "https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java" }, { "source_name": "SMS KitKat", "description": "S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.", "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html", "external_id": "APP-16" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html", "external_id": "CEL-41" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:15.008Z", "name": "SMS Control", "description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6", "created": "2017-10-25T14:48:14.003Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1408", "external_id": "T1408" }, { "source_name": "Brodie", "description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.", "url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf" }, { "source_name": "Rastogi", "description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.", "url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf" }, { "source_name": "Tan", "description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.", "url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", "external_id": "EMM-5" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:43.756Z", "name": "Disguise Root/Jailbreak Indicators", "description": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a", "created": "2017-10-25T14:48:27.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1438", "external_id": "T1438" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", "external_id": "APP-30" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:15.184Z", "name": "Exfiltration Over Other Network Medium", "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. \n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b", "created": "2017-10-25T14:48:26.473Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1440", "external_id": "T1440" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:16.049Z", "name": "Detect App Analysis Environment", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "created": "2022-03-30T18:50:43.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1631", "external_id": "T1631" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:16.232Z", "name": "Process Injection", "description": "Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nBoth Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc", "created": "2017-10-25T14:48:24.905Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1462", "external_id": "T1462" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:17.290Z", "name": "Malicious Software Development Tools", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "created": "2022-04-05T20:14:17.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1521/001", "external_id": "T1521.001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:17.802Z", "name": "Symmetric Cryptography", "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69", "created": "2017-10-25T14:48:30.127Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1402", "external_id": "T1402" }, { "source_name": "Android Changes to System Broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:18.426Z", "name": "Broadcast Receivers", "description": "An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.\n\nFurther, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.\n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "2.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "modified": "2024-02-21T20:44:44.404Z", "name": "Wi-Fi Discovery", "description": "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Discovery](https://attack.mitre.org/tactics/TA0032) or [Credential Access](https://attack.mitre.org/tactics/TA0031) activity to support both ongoing and future campaigns. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "type": "attack-pattern", "id": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "created": "2024-02-21T20:44:44.404Z", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1422/002", "external_id": "T1422.002" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "attack-pattern", "id": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "created": "2022-03-28T19:30:15.556Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474/002", "external_id": "T1474.002" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html", "external_id": "SPC-1" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html", "external_id": "SPC-2" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", "external_id": "SPC-4" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html", "external_id": "SPC-5" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html", "external_id": "SPC-6" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html", "external_id": "SPC-7" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html", "external_id": "SPC-8" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html", "external_id": "SPC-13" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html", "external_id": "SPC-16" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html", "external_id": "SPC-17" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html", "external_id": "SPC-21" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:19.406Z", "name": "Compromise Hardware Supply Chain", "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "created": "2017-10-25T14:48:19.996Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1414", "external_id": "T1414" }, { "source_name": "Android 10 Privacy Changes", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data" }, { "source_name": "UIPPasteboard", "description": "Apple Developer. (n.d.). UIPasteboard. Retrieved April 1, 2022.", "url": "https://developer.apple.com/documentation/uikit/uipasteboard" }, { "source_name": "Fahl-Clipboard", "description": "Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved September 12, 2024.", "url": "https://saschafahl.de/static/paper/pwmanagers2013.pdf" }, { "source_name": "Github Capture Clipboard 2019", "description": "Pearce, G. (, January). Retrieved August 8, 2019.", "url": "https://github.com/grepx/android-clipboard-security" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html", "external_id": "APP-35" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:21.369Z", "name": "Clipboard Data", "description": "Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) \n\n \n\nOn Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device\u2019s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) \n\n \n\nOn iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read \u201capplication_name has pasted from Messages\u201d when the text was pasted in a different application.(Citation: UIPPasteboard)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "3.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0", "created": "2017-10-25T14:48:30.890Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1400", "external_id": "T1400" }, { "source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/" }, { "source_name": "Apple-iOSSecurityGuide", "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.", "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:21.464Z", "name": "Modify System Partition", "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "created": "2022-04-06T13:34:46.021Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1641", "external_id": "T1641" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:21.564Z", "name": "Data Manipulation", "description": "Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "created": "2022-04-01T13:25:30.923Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/004", "external_id": "T1636.004" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:22.003Z", "name": "SMS Messages", "description": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user\u2019s knowledge or approval. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1" }, { "type": "attack-pattern", "id": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "created": "2019-02-01T17:29:43.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481", "external_id": "T1481" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:22.184Z", "name": "Web Service", "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). \n\n ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.3", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "created": "2022-03-30T15:07:51.646Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1625/001", "external_id": "T1625.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:22.267Z", "name": "System Runtime API Hijacking", "description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f", "created": "2017-10-25T14:48:07.149Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1455", "external_id": "T1455" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:22.801Z", "name": "Exploit Baseband Vulnerability", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "created": "2022-04-01T14:55:10.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1634", "external_id": "T1634" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", "external_id": "AUT-11" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:23.749Z", "name": "Credentials from Password Store", "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "created": "2021-09-24T14:47:34.182Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1617", "external_id": "T1617" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:24.183Z", "name": "Hooking", "description": "Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "J\u00f6rg Abraham, EclecticIQ" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1478", "external_id": "T1478" }, { "source_name": "Talos-MDM", "description": "Warren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018.", "url": "https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html" }, { "source_name": "Symantec-iOSProfile", "description": "Yair Amit. (2013, March 12). Malicious Profiles \u2013 The Sleeping Giant of iOS Security. Retrieved September 24, 2018.", "url": "https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", "external_id": "STA-7" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:24.367Z", "name": "Install Insecure or Malicious Configuration", "description": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "created": "2017-10-25T14:48:21.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1420", "external_id": "T1420" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html", "external_id": "STA-41" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:24.899Z", "name": "File and Directory Discovery", "description": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "created": "2017-10-25T14:48:32.328Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1406", "external_id": "T1406" }, { "source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", "external_id": "APP-21" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:25.462Z", "name": "Obfuscated Files or Information", "description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "3.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "created": "2019-09-15T15:26:22.356Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1516", "external_id": "T1516" }, { "source_name": "bitwarden autofill logins", "description": "Bitwarden. (n.d.). Auto-fill logins on Android . Retrieved September 15, 2019.", "url": "https://help.bitwarden.com/article/auto-fill-android/" }, { "source_name": "android-trojan-steals-paypal-2fa", "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" }, { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:25.635Z", "name": "Input Injection", "description": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Luk\u00e1\u0161 \u0160tefanko, ESET" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", "created": "2017-10-25T14:48:25.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1464", "external_id": "T1464" }, { "source_name": "CNET-Celljammer", "description": "Chris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018.", "url": "https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/" }, { "source_name": "Arstechnica-Celljam", "description": "David Kravets. (2016, March 10). Man accused of jamming passengers\u2019 cell phones on Chicago subway. Retrieved November 8, 2018.", "url": "https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/" }, { "source_name": "NIST-SP800187", "description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.", "url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf" }, { "source_name": "NYTimes-Celljam", "description": "Matt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018.", "url": "https://www.nytimes.com/2007/11/04/technology/04jammer.html" }, { "source_name": "Digitaltrends-Celljam", "description": "Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students\u2019 cell phones. Retrieved November 8, 2018.", "url": "https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", "external_id": "CEL-7" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html", "external_id": "CEL-8" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html", "external_id": "LPN-5" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html", "external_id": "GPS-0" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-05-19T15:21:04.030Z", "name": "Network Denial of Service", "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. \n\nA Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer\u2019s operational range.(Citation: NIST-SP800187) \n\nUsage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.4", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "created": "2020-05-07T15:24:49.068Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1577", "external_id": "T1577" }, { "source_name": "Guardsquare Janus", "description": "Guarsquare. (2017, November 13). New Android vulnerability allows attackers to modify apps without affecting their signatures. Retrieved May 7, 2020.", "url": "https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures" }, { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:26.629Z", "name": "Compromise Application Executable", "description": "Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.\n\nThere are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.(Citation: Guardsquare Janus)\n\nAdversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)\n\nAdversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "created": "2022-03-30T14:25:41.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1624", "external_id": "T1624" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:26.888Z", "name": "Event Triggered Execution", "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim\u2019s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "created": "2017-10-25T14:48:32.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1422", "external_id": "T1422" }, { "source_name": "NetworkInterface", "description": "Android. (n.d.). NetworkInterface. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/java/net/NetworkInterface.html" }, { "source_name": "TelephonyManager", "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:26.973Z", "name": "System Network Configuration Discovery", "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems. \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.4", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63", "created": "2017-10-25T14:48:25.322Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1463", "external_id": "T1463" }, { "source_name": "FireEye-SSL", "description": "Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", "external_id": "APP-1" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:45.230Z", "name": "Manipulate Device Communication", "description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Without Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "created": "2019-08-09T16:14:58.254Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1512", "external_id": "T1512" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", "external_id": "APP-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:28.248Z", "name": "Video Capture", "description": "An adversary can leverage a device\u2019s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files. \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device\u2019s cameras for video recording rather than capturing the victim\u2019s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "created": "2022-04-06T15:52:07.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481/003", "external_id": "T1481.003" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:28.337Z", "name": "One-Way Communication", "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1475", "external_id": "T1475" }, { "source_name": "Oberheide-Bouncer", "description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.", "url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf" }, { "source_name": "Oberheide-RemoteInstall", "description": "Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016.", "url": "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/" }, { "source_name": "Percoco-Bouncer", "description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016.", "url": "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf" }, { "source_name": "Konoth", "description": "Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016.", "url": "http://www.vvdveen.com/publications/BAndroid.pdf" }, { "source_name": "Petsas", "description": "Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016.", "url": "http://dl.acm.org/citation.cfm?id=2592796" }, { "source_name": "Wang", "description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.", "url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html", "external_id": "ECO-4" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html", "external_id": "ECO-16" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html", "external_id": "ECO-17" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", "external_id": "APP-20" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", "external_id": "APP-21" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html", "external_id": "ECO-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:28.427Z", "name": "Deliver Malicious App via Authorized App Store", "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "created": "2017-10-25T14:48:10.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1471", "external_id": "T1471" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html", "external_id": "APP-28" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:28.514Z", "name": "Data Encrypted for Impact", "description": "An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "3.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "created": "2022-04-01T18:44:32.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629/001", "external_id": "T1629.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:28.687Z", "name": "Prevent Application Removal", "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\n\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \n\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Shankar Raman, Gen Digital and Abhinand, Amrita University" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "created": "2017-10-25T14:48:33.574Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1421", "external_id": "T1421" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:29.321Z", "name": "System Network Connections Discovery", "description": "Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. \n\n \n\nThis is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: \n\n \n\n* `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. \n\n* `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. \n\n* For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "created": "2023-09-21T19:35:15.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1660", "external_id": "T1660" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", "external_id": "AUT-9" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-20T17:38:10.545Z", "name": "Phishing", "description": "Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as \u201cspearphishing.\u201d Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.\n\nMobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. Adversaries may also impersonate executives of organizations to persuade victims into performing some action on their behalf. For example, adversaries will often use social engineering techniques in text messages to trick the victims into acting quickly, which leads to adversaries obtaining credentials and other information. \n\nMobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: \n\n- SMS messages: Adversaries may send SMS messages (known as \u201csmishing\u201d) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.\n- Quick Response (QR) Codes: Adversaries may use QR codes (known as \u201cquishing\u201d) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user\u2019s desktop computer to their mobile device.\n- Phone Calls: Adversaries may call victims (known as \"vishing\") to persuade them to perform an action, such as providing login credentials or navigating to malicious websites. Common vishing targets include employees, especially executives of organizations, and help desks. This may also be used as a technique to perform the initial access on a mobile device, but then pivot to a desktop computer by having the victims perform actions on a desktop computer. With the rise of artificial intelligence (AI), adversaries may also use AI to clone a person\u2019s voice, resulting in deepfake vishing. The cloned voice provides familiarity to the victims, increasing the likelihood of successful malicious actions performed by the victims. Additionally, adversaries may leave voicemails, which may use a real person\u2019s voice or an AI-generated voice; these scams would urgently ask victims into calling back to perform an action, e.g. sending money or providing sensitive information and credentials.\n", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Vijay Lalwani", "Will Thomas, Equinix", "Adam Mashinchi", "Sam Seabrook, Duke Energy", "Naveen Devaraja, bolttech", "Brian Donohue", "Lookout" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "modified": "2024-04-16T20:24:13.854Z", "name": "SSL Pinning", "description": "Adversaries may use [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) to protect the C2 traffic from being intercepted and analyzed.\n\n[SSL Pinning](https://attack.mitre.org/techniques/T1521/003) is a technique commonly utilized by legitimate websites to ensure that encrypted communications are only allowed with a pre-defined certificate. If another certificate is presented, it could indicate device compromise, traffic interception, or another upstream issue. While benign usages are common, it is also possible for adversaries to abuse this technology to protect malicious C2 traffic.\n\nIn normal, not pinned SSL validation, when a client connects to a server using HTTPS, it typically checks whether the server\u2019s SSL/TLS certificate is signed by a trusted Certificate Authority (CA) in the device\u2019s trust store. If the certificate is valid and signed by a trusted CA, the connection is established. However, with [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) , the client is configured to trust a specific SSL/TLS certificate or public key, rather than relying on the device\u2019s trust store. This means that even if the server\u2019s certificate is signed by a trusted CA, the client will only establish the connection of the certificate or key is pinned.\n\nThere are two types of [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) :\n\n1.\tCertificate Pinning: The client stores a copy of the server\u2019s certificate and compares it with the certificate received during the SSL handshake. If the certificates match, then the client proceeds with the connection. This approach also works with self-signed certificates.\n\n2.\tPublic Key Pinning: Instead of pinning the entire certificate, the client pins just the public key extracted from the certificate. This is often more flexible, as it allows the server to renew its certificate without having to update the pinned certificate or breaking the SSL connection.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_contributors": [ "Takahashi Wataru, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "created": "2024-03-29T15:04:38.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1521/003", "external_id": "T1521.003" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "attack-pattern", "id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "created": "2017-10-25T14:48:24.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1461", "external_id": "T1461" }, { "source_name": "Wired-AndroidBypass", "description": "Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.", "url": "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/" }, { "source_name": "Kaspersky-iOSBypass", "description": "Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.", "url": "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/" }, { "source_name": "TheSun-FaceID", "description": "Sean Keach. (2018, February 15). Brit mates BREAK Apple\u2019s face unlock and vow to never buy iPhone again. Retrieved September 18, 2018.", "url": "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/" }, { "source_name": "SRLabs-Fingerprint", "description": "SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016.", "url": "https://srlabs.de/bites/spoofing-fingerprints/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:29.764Z", "name": "Lockscreen Bypass", "description": "An adversary with physical access to a mobile device may seek to bypass the device\u2019s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\u201cshoulder surfing\u201d) the device owner\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.3", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe", "created": "2020-12-16T20:16:07.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1605", "external_id": "T1605" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:30.335Z", "name": "Command-Line Interface", "description": "Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java\u2019s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.\n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "created": "2022-04-01T13:17:52.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/003", "external_id": "T1636.003" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:30.430Z", "name": "Contact List", "description": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user\u2019s knowledge or approval. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "created": "2019-10-10T15:12:42.790Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1533", "external_id": "T1533" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html", "external_id": "STA-41" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:30.706Z", "name": "Data from Local System", "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "created": "2022-04-06T13:29:47.590Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1640", "external_id": "T1640" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:31.052Z", "name": "Account Access Removal", "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "created": "2017-10-25T14:48:19.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1426", "external_id": "T1426" }, { "source_name": "Android-Build", "description": "Android. (n.d.). Build. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/android/os/Build" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", "external_id": "APP-12" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:31.141Z", "name": "System Information Discovery", "description": "Adversaries may attempt to get detailed information about a device\u2019s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9", "created": "2017-10-25T14:48:28.786Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1442", "external_id": "T1442" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:31.232Z", "name": "Fake Developer Accounts", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb", "created": "2019-07-26T14:15:31.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1510", "external_id": "T1510" }, { "source_name": "Android 10 Privacy Changes", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data" }, { "source_name": "Dr.Webb Clipboard Modification origin August 2018", "description": "Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019.", "url": "https://vms.drweb.com/virus/?i=17517750" }, { "source_name": "Dr.Webb Clipboard Modification origin2 August 2018", "description": "Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019.", "url": "https://vms.drweb.com/virus/?i=17517761" }, { "source_name": "ESET Clipboard Modification February 2019", "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.", "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/" }, { "source_name": "Welivesecurity Clipboard Modification February 2019", "description": "Luk\u00e1\u0161 \u0160tefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019.", "url": "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/" }, { "source_name": "Syracuse Clipboard Modification 2014", "description": "Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019.", "url": "http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:31.403Z", "name": "Clipboard Modification", "description": "Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)\n\nAdversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "created": "2019-10-10T15:00:44.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1532", "external_id": "T1532" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:31.761Z", "name": "Archive Collected Data", "description": "Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. \n\n \n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "created": "2022-03-30T20:36:03.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1627/001", "external_id": "T1627.001" }, { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:31.935Z", "name": "Geofencing", "description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fis accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. \n\nOne method to accomplish\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fon Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \"Allow only while using the app\", which will effectively prohibit background location collection. \n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call\u202f`requestWhenInUseAuthorization()`\u202for\u202f`requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground. \n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fcan be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2", "created": "2019-07-10T15:18:16.753Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1507", "external_id": "T1507" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:46.125Z", "name": "Network Information Discovery", "description": "Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "created": "2017-10-25T14:48:15.920Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1412", "external_id": "T1412" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:33.068Z", "name": "Capture SMS Messages", "description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "modified": "2024-04-17T16:50:41.414Z", "name": "Conceal Multimedia Files", "description": "Adversaries may attempt to hide multimedia files from the user. By doing so, adversaries may conceal captured files, such as pictures, videos and/or screenshots, then later exfiltrate those files. \n\nSpecific to Android devices, if the `.nomedia` file is present in a folder, multimedia files in that folder will not be visible to the user in the Gallery application. Additionally, other applications are asked not to scan the folder with the `.nomedia` file, effectively making the folder appear invisible to the user. \n\nThis technique is often used by stalkerware and spyware applications. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_contributors": [ "Shankar Raman, Amrita University, Gen Digital, Traboda" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "type": "attack-pattern", "id": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3", "created": "2024-02-20T21:44:32.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1628/003", "external_id": "T1628.003" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "attack-pattern", "id": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "created": "2022-04-06T13:52:05.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1642", "external_id": "T1642" }, { "source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" }, { "source_name": "Android resetPassword", "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:33.803Z", "name": "Endpoint Denial of Service", "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "created": "2022-04-06T15:27:34.300Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1644", "external_id": "T1644" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:34.162Z", "name": "Out of Band Data", "description": "Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. \n\n \n\nOn Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. \n\n \n\nOn iOS, there is no way to programmatically read push notifications. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "created": "2019-10-01T14:18:47.762Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1521", "external_id": "T1521" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:34.332Z", "name": "Encrypted Channel", "description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884", "created": "2017-10-25T14:48:22.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1405", "external_id": "T1405" }, { "source_name": "EkbergTEE", "description": "Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016.", "url": "https://usmile.at/symposium/program/2015/ekberg" }, { "source_name": "Thomas-TrustZone", "description": "Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016.", "url": "https://usmile.at/symposium/program/2015/thomas-holmes" }, { "source_name": "QualcommKeyMaster", "description": "laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016.", "url": "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html" }, { "source_name": "laginimaineb-TEE", "description": "laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016.", "url": "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:46.487Z", "name": "Exploit TEE Vulnerability", "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "created": "2022-03-30T20:06:22.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1628/001", "external_id": "T1628.001" }, { "source_name": "Android 10 Limitations to Hiding App Icons", "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022.", "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons" }, { "source_name": "LauncherApps getActivityList", "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022.", "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist" }, { "source_name": "sunny-stolen-credentials", "description": "Luk\u00e1\u0161 \u0160tefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/" }, { "source_name": "android-trojan-steals-paypal-2fa", "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" }, { "source_name": "bankbot-spybanker", "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved September 12, 2024.", "url": "https://www.cyber.nj.gov/threat-landscape/malware/trojans/bankbot-spy-banker" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:35.410Z", "name": "Suppress Application Icon", "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. \n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) \n\nBeginning in Android 10, changes were introduced to inhibit malicious applications\u2019 ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application\u2019s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app\u2019s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application\u2019s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Emily Ratliff, IBM" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468", "created": "2017-10-25T14:48:18.583Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1399", "external_id": "T1399" }, { "source_name": "Apple-iOSSecurityGuide", "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.", "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf" }, { "source_name": "Roth-Rootkits", "description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016.", "url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:35.592Z", "name": "Modify Trusted Execution Environment", "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a", "created": "2017-10-25T14:48:23.652Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1459", "external_id": "T1459" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:36.126Z", "name": "Device Unlock Code Guessing or Brute Force", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34", "created": "2017-10-25T14:48:21.667Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1466", "external_id": "T1466" }, { "source_name": "NIST-SP800187", "description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.", "url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", "external_id": "CEL-3" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:47.035Z", "name": "Downgrade to Insecure Protocols", "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Without Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "created": "2023-07-12T20:29:48.758Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1655", "external_id": "T1655" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", "external_id": "APP-14" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:38.098Z", "name": "Masquerading", "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)\n", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf", "created": "2017-10-25T14:48:18.937Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1472", "external_id": "T1472" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-18T18:00:47.215Z", "name": "Generate Fraudulent Advertising Revenue", "description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df", "created": "2017-10-25T14:48:09.446Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1473", "external_id": "T1473" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:38.547Z", "name": "Malicious or Vulnerable Built-in Device Functionality", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", "created": "2022-03-30T19:19:23.777Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1406/001", "external_id": "T1406.001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:38.813Z", "name": "Steganography", "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", "created": "2017-10-25T14:48:06.524Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1449", "external_id": "T1449" }, { "source_name": "3GPP-Security", "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.", "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf" }, { "source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" }, { "source_name": "TheRegister-SS7", "description": "Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018.", "url": "https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/" }, { "source_name": "Positive-SS7", "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.", "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf" }, { "source_name": "Engel-SS7-2008", "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.", "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI" }, { "source_name": "Engel-SS7", "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.", "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html", "external_id": "CEL-37" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:38.896Z", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Without Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "created": "2022-03-30T20:00:12.654Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1628", "external_id": "T1628" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:39.161Z", "name": "Hide Artifacts", "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application\u2019s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "created": "2022-03-30T18:13:26.003Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1632/001", "external_id": "T1632.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", "external_id": "STA-7" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:39.422Z", "name": "Code Signing Policy Modification", "description": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "created": "2022-04-05T19:59:03.161Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1637/001", "external_id": "T1637.001" }, { "source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" }, { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:39.530Z", "name": "Domain Generation Algorithms", "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "created": "2017-10-25T14:48:06.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1456", "external_id": "T1456" }, { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html", "external_id": "CEL-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:39.614Z", "name": "Drive-By Compromise", "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "attack-pattern", "id": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2", "created": "2019-07-11T18:09:42.039Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1508", "external_id": "T1508" }, { "source_name": "sunny-stolen-credentials", "description": "Luk\u00e1\u0161 \u0160tefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/" }, { "source_name": "android-trojan-steals-paypal-2fa", "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" }, { "source_name": "bankbot-spybanker", "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019.", "url": "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T17:49:39.785Z", "name": "Suppress Application Icon", "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.\n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--0048442c-54c9-4816-a2ba-5e9d376d0bf2", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0682#AN1789", "external_id": "AN1789" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-18T19:33:15.080Z", "name": "Analytic 1789", "description": "Defender observes an app (bundle/process) performing large-scope directory listings or metadata reads via FileProvider/NSFileManager against user-visible containers (Files app locations, iCloud/On-My-iPhone) or external providers, with rapid traversal across many folders while the app is backgrounded or without corresponding UI activity (unifiedlogs:FileProvider, unifiedlogs:FileIO). Optional signals include Photo library or document picker bulk enumeration absent recent user gesture. Correlate on bundle/process/profile and path volume within a bounded window.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers" }, { "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "name": "iOS:unifiedlog", "channel": "readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\\\ My\\\\ iPhone with >N distinct paths in TimeWindow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "iOS:unifiedlog", "channel": "UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Correlation window between enumeration API calls and path bursts (e.g., 30\u2013300s)." }, { "field": "MinDistinctPaths", "description": "Minimum number of unique paths to flag discovery (e.g., \u226540)." }, { "field": "TargetPathRegex", "description": "Enterprise-relevant containers/providers to include/exclude." }, { "field": "RequireBackgroundState", "description": "Set true to require background discovery for higher confidence." }, { "field": "AllowlistedBundles", "description": "Legitimate backup/DLP/file-management apps to suppress." }, { "field": "ManagedProfileScope", "description": "Limit to managed devices/profiles." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--007a370c-be77-49c9-9ca3-25d50de35864", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0654#AN1740", "external_id": "AN1740" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-12-04T17:05:14.687Z", "name": "Analytic 1740", "description": "Correlates unauthorized alterations to launchd configuration (LaunchDaemons/LaunchAgents plists), background execution entitlements, or sideloaded app containers with suspicious auto-start behavior during device boot or user unlock. From the defender\u2019s view this shows up as new or modified plist files in launchd directories, launchd starting binaries from non-Apple or non-AppStore locations, and apps with unexpected background modes that remain active immediately after boot/unlock.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "name": "iOS:unifiedlog", "channel": "Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "iOS:unifiedlog", "channel": "launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock" }, { "x_mitre_data_component_ref": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa", "name": "iOS:unifiedlog", "channel": "Application gaining or using unexpected background execution entitlements or modes" } ], "x_mitre_mutable_elements": [ { "field": "JailbreakIndicators", "description": "List of filesystem paths or process names that identify intentionally jailbroken lab devices and should be handled differently." }, { "field": "LaunchdWhitelist", "description": "Organization-specific list of allowed launchd job labels and binary paths." }, { "field": "AllowedBackgroundModes", "description": "Per-app allow list for background execution modes (for example, VOIP, location) to reduce noise." }, { "field": "BootUnlockWindow", "description": "Time window after boot or unlock within which unexpected launchd auto-starts are considered high risk." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--04e54116-5787-4bb0-9c4a-2b620a80b5dc", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0601#AN1649", "external_id": "AN1649" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-23T17:42:33.331Z", "name": "Analytic 1649", "description": "Defender correlates an app querying device model and iOS version (often limited to UIDevice-visible attributes) with subsequent behavior divergence (capability gating, alternate code paths) and/or near-term outbound connections, suggesting device fingerprinting for decision-making rather than normal telemetry.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "Application invokes UIDevice queries (model, systemVersion, name)" } ], "x_mitre_mutable_elements": [ { "field": "QueryFrequencyThreshold", "description": "Baseline-dependent threshold for distinguishing normal app telemetry from discovery behavior" }, { "field": "QueryToExecutionDeviationWindow", "description": "Defines acceptable delay between device queries and execution changes" }, { "field": "DeviceModelBaseline", "description": "Allows tuning for environments with homogeneous vs heterogeneous device fleets" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--04fbc0f1-82f0-4311-9c39-6b519b48e7d8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0619#AN1679", "external_id": "AN1679" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1679", "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--05191336-6d06-41f7-babb-5d079e4168ae", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0646#AN1725", "external_id": "AN1725" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-06T16:02:58.850Z", "name": "Analytic 1725", "description": "The defender correlates application TLS trust customization activity with subsequent outbound encrypted sessions that bypass enterprise interception visibility or fail only under enterprise inspection conditions. The analytic looks for an app establishing its own certificate or public-key trust logic, then initiating HTTPS sessions to destinations not aligned with approved app behavior, especially from background state or without recent user interaction. Higher-confidence observations come from Android runtime/framework telemetry showing custom trust manager, certificate validation override, or pin validation logic immediately preceding network connection attempts, combined with network evidence of failed-inspection patterns or opaque direct TLS sessions.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "TLS trust customization and outbound HTTPS session occur while app_state=background or device_locked=true or recent_user_interaction=false" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Managed app with undeclared secure transport behavior or app category mismatch initiates opaque TLS communications inconsistent with enterprise policy baseline" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Inspection", "channel": "TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between trust customization activity and outbound TLS connection" }, { "field": "AllowedAppList", "description": "Apps legitimately expected to implement SSL pinning such as banking, enterprise auth, or secure messaging apps" }, { "field": "AllowedDestinationList", "description": "Approved domains, IPs, and service endpoints for managed applications" }, { "field": "ForegroundStateRequired", "description": "Whether the application is expected to establish pinned sessions only during active user-driven workflows" }, { "field": "InspectionFailureThreshold", "description": "Number of repeated inspection failures or certificate mismatch events before escalating" }, { "field": "RetryPatternWindow", "description": "Time tolerance for inspection failure followed by retry/direct connection pattern" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--07b782b2-7e86-424a-9395-0a862d9b25c3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0684#AN1792", "external_id": "AN1792" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1792", "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.\nEnterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "Network Traffic", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "name": "Network Traffic", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--07c399a0-e5ad-462d-99b9-f51ce8aa5061", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0707#AN1829", "external_id": "AN1829" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T17:06:45.192Z", "name": "Analytic 1829", "description": "The defender correlates creation or registration of deferred, repeating, or constraint-based background work with later task execution in the same app context, especially when the task executes without recent user interaction, from background state, or with follow-on file, sensor, or network behavior inconsistent with the app's declared role. The analytic prioritizes Android-observable control-plane effects: WorkManager enqueue operations, JobScheduler or AlarmManager scheduling, later wake or execution of the scheduled work, and post-trigger activity such as network sessions, local staging, or sensor access.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", "name": "MobiledEDR:telemetry", "channel": "Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between task registration and later execution, and between execution and follow-on behavior" }, { "field": "AllowedAppList", "description": "Apps legitimately expected to use WorkManager, JobScheduler, or AlarmManager such as mail, sync, backup, calendar, or enterprise management apps" }, { "field": "AllowedConstraintProfiles", "description": "Expected charging, network, idle, or timing constraints for legitimate scheduled work" }, { "field": "AllowedScheduleIntervals", "description": "Expected delay or periodic interval ranges for legitimate app behavior" }, { "field": "ForegroundStateRequired", "description": "Whether follow-on activity from a scheduled task should only occur during active user-driven workflows for a given app" }, { "field": "TriggerToNetworkWindow", "description": "Maximum expected delay between scheduled job trigger and outbound communication" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound volume after scheduled execution to treat network behavior as meaningful" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--085c9205-d55a-4e33-a5df-241e505be32f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0658#AN1747", "external_id": "AN1747" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-06T15:07:15.622Z", "name": "Analytic 1747", "description": "A defender correlates a sudden carrier identity/service state change (SIM/line identifier change or unexpected loss of cellular service) with near-term device messaging/telephony disruption and a concurrent shift in authentication traffic patterns\u2014such as a spike in SMS-based verification flows or account recovery activity from the same user\u2019s identities\u2014indicating the user\u2019s number may have been transferred to a different SIM/device (SIM swap impact).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "MobileEDR:telemetry", "channel": "Cellular service state transitions (in-service\u2192no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Device inventory changes involving phone number/line identifier fields (when available), eSIM profile presence, or compliance signal indicating SIM profile change" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss" } ], "x_mitre_mutable_elements": [ { "field": "ServiceLossDurationThreshold", "description": "Minimum duration of unexpected cellular service loss before considering it suspicious (reduces noise from transient coverage issues)." }, { "field": "SimStateChangeTypes", "description": "Which SIM-related state changes to alert on (SIM removed, SIM refresh, operator changed, eSIM profile changed)." }, { "field": "SwapCorrelationWindow", "description": "Time window to correlate SIM/service state change with downstream identity traffic anomalies (e.g., 30m\u20136h)." }, { "field": "IdentityEndpointAllowList", "description": "Baseline of expected IdP/banking/crypto identity endpoints for the org; used to reduce false positives." }, { "field": "AuthTrafficSpikeThreshold", "description": "Threshold for increase in OTP/MFA/account recovery traffic volume relative to user baseline." }, { "field": "UserTravelContext", "description": "Optional enrichment\u2014treat carrier changes as lower risk during known travel/roaming windows." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--095c16b2-3d9a-445a-82a4-fa7affd928f5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0652#AN1736", "external_id": "AN1736" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1736", "description": "Application vetting services may detect when an application requests permissions after an application update.\nApplication vetting services may look for indications that the application\u2019s update includes malicious code at runtime. \nApplication vetting services may be able to list domains and/or IP addresses that applications communicate with.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--09ea8707-d76c-44ae-b077-19a8949faa90", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0694#AN1807", "external_id": "AN1807" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-13T15:50:52.912Z", "name": "Analytic 1807", "description": "Correlates (1) abnormal application or system resource resolution behavior (e.g., library loading, path resolution, or intent redirection), (2) execution of code or resources not aligned with the originating application\u2019s package identity or expected runtime context, and (3) follow-on execution or network activity originating from the hijacked flow. The defender observes a causal chain where execution is redirected from an expected code path to an alternate resource or payload, resulting in execution under a trusted context but with untrusted origin.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application launches or executes code where loaded library or component path does not match application package path or expected signing context" }, { "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "name": "MobileEDR:telemetry", "channel": "application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "MobileEDR:telemetry", "channel": "application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between abnormal resource loading and execution/network activity" }, { "field": "AllowedLibraryPaths", "description": "Baseline of expected library/resource load paths per application" }, { "field": "TrustedSignatureList", "description": "Trusted signing identities for application components" }, { "field": "AllowedAppList", "description": "Applications allowed to dynamically load code or use external resources" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--0b0e244e-9386-4520-b030-9e330c6c1930", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0710#AN1836", "external_id": "AN1836" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1836", "description": "Mobile security products can use attestation to detect compromised devices.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "Sensor Health", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--0d22c60c-fd0b-47f8-abe4-2d661a73c653", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0647#AN1727", "external_id": "AN1727" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T21:01:31.075Z", "name": "Analytic 1727", "description": "The defender correlates application registration for system event triggers (e.g., broadcast receivers, WorkManager, JobScheduler, SMS/BOOT events) with subsequent execution of application code immediately following the triggering event, without direct user interaction. Confidence increases when execution occurs in background or locked state, is tied to sensitive triggers (SMS received, boot completed, connectivity change), and produces follow-on file or network activity inconsistent with the application\u2019s expected role.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "System event occurs (e.g., SMS received, device boot completed, network state changed) acting as trigger event for execution phase" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between event trigger occurrence and execution behavior" }, { "field": "SensitiveEventList", "description": "List of high-risk trigger events such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE, PACKAGE_ADDED" }, { "field": "AllowedAppList", "description": "Applications legitimately expected to use background scheduling or event-driven execution (e.g., messaging, system services)" }, { "field": "ForegroundStateRequired", "description": "Whether execution should only occur during active user interaction for specific app categories" }, { "field": "ExecutionDelayThreshold", "description": "Maximum allowed delay between event trigger and execution to still be considered causal" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound data volume after event-triggered execution to indicate meaningful activity" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--0d358eda-4f7e-462e-8201-96d8a661001d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0708#AN1832", "external_id": "AN1832" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1832", "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--1076f33e-a959-49b8-97a3-2edf0360fae2", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0665#AN1759", "external_id": "AN1759" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-16T15:51:26.313Z", "name": "Analytic 1759", "description": "Correlates app sandbox escape attempts via unsigned binary execution, mmap memory permission changes (RWX), and sandbox profile violations. Detection chain includes app leveraging JIT/JSC to execute shellcode or triggering kernel exploit via crafted IOKit or Mach port abuse.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "iOS:unifiedlog", "channel": "code signature validation failure / exec of invalidly-signed payload from sandboxed app" }, { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "iOS:unifiedlog", "channel": "mmap with PROT_EXEC and PROT_WRITE by sandboxed app" } ], "x_mitre_mutable_elements": [ { "field": "ExecutableHashAllowList", "description": "Allowlist known benign unsigned binaries for reducing FP." }, { "field": "RWXThreshold", "description": "Adjustable threshold for RWX page allocation frequency or size." }, { "field": "JITContextDetection", "description": "May require tuning based on OS version and legitimate app usage (e.g., Safari JIT)." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--111bf5b3-ce1c-4f60-b1b0-deef85fc6a0a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0701#AN1819", "external_id": "AN1819" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1819", "description": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--114cd15c-a02f-4bac-8ed3-3ae71c1761ec", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0698#AN1814", "external_id": "AN1814" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1814", "description": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--155b0dfd-15d5-45bd-a8c4-249adc52f20d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0609#AN1662", "external_id": "AN1662" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1662", "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--166d394c-6d24-46d3-866e-4f57ca849e90", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0632#AN1704", "external_id": "AN1704" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1704", "description": "Application vetting services could look for misuse of dynamic libraries.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--176d2eda-e41b-48d0-b66a-daaccb5a77cd", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0690#AN1801", "external_id": "AN1801" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T20:30:17.842Z", "name": "Analytic 1801", "description": "Correlates (1) a malicious application gaining or using a removal-capable control path, such as device owner or delegated app-management authority, accessibility service control over uninstall UI, or rooted filesystem access, (2) initiation of uninstall or package-removal behavior, and (3) disappearance of the application from installed-state inventory or app runtime immediately afterward, often with a short-lived final burst of local cleanup or outbound communication. The defender observes a causal chain where the application first establishes the ability to remove itself, then triggers uninstall or deletion, and then vanishes from expected app presence while device activity continues.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "application holds device-owner, profile-owner, or delegated app-management authority capable of package removal before uninstall event" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "application has accessibility service privileges immediately before package-removal UI flow and subsequent application disappearance" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "device posture indicates rooted, compromised, or non-compliant state before package files disappear without standard managed uninstall workflow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss" }, { "x_mitre_data_component_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", "name": "MobileEDR:telemetry", "channel": "application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between uninstall-capable control, removal action, and app disappearance" }, { "field": "RemovalAuthoritySet", "description": "Roles or privileges considered capable of enabling silent or assisted uninstall, such as device owner, delegated app-management authority, accessibility, or rooted filesystem access" }, { "field": "AllowedRemovalApps", "description": "Legitimate enterprise or device-management apps allowed to uninstall applications" }, { "field": "RemovalAttemptSignalSet", "description": "Signals used to recognize uninstall initiation, such as package-removal actions, uninstall intent flows, or accessibility-driven confirmation steps" }, { "field": "DisappearanceThreshold", "description": "Maximum time between removal action and loss of installed-state visibility" }, { "field": "UplinkBytesThreshold", "description": "Outbound traffic threshold used to confirm final activity before self-removal" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--1a27d3ed-86e8-4389-927d-1d43d94dc719", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0633#AN1705", "external_id": "AN1705" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1705", "description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.\nMobile security products can potentially detect jailbroken devices.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "Sensor Health", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--1e72355d-3350-4b60-8c92-2ded50a3fdd1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0670#AN1768", "external_id": "AN1768" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-08T18:29:03.808Z", "name": "Analytic 1768", "description": "The defender correlates managed-app data access and lifecycle context with indirect evidence of packaging or encryption prior to outbound transfer. Because direct archive/compression visibility is generally weaker on iOS, the analytic anchors on app lifecycle state, file/output effects observable by mobile EDR where available, managed app role via MDM, and downstream network uploads that closely follow creation of new large or high-entropy local artifacts. Confidence is lower when only network effects are available.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Supervised managed app without expected export, backup, or sync role performs local data staging behavior followed by opaque upload activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Managed app enters background-capable execution or resumes processing immediately before archive-like file creation or upload behavior" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between lifecycle event, local package creation, and upload" }, { "field": "AllowedAppList", "description": "Managed apps expected to archive, export, or synchronize data" }, { "field": "AllowedDestinationList", "description": "Approved cloud, enterprise, or sync endpoints for legitimate exports" }, { "field": "ForegroundStateRequired", "description": "Whether packaging or export should occur only during active user interaction" }, { "field": "ArchiveSizeThreshold", "description": "Minimum size for suspicious local package or blob" }, { "field": "EntropyThreshold", "description": "Threshold for identifying encrypted or compressed staged output" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound volume consistent with recently created archive" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0639#AN1714", "external_id": "AN1714" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-12T17:09:47.656Z", "name": "Analytic 1714", "description": "Defender correlates an iOS-specific reduced-confidence chain where a managed or supervised device remains active but experiences abrupt loss of network-dependent functionality, repeated session failure, or sustained communication inability without matching configuration changes or ordinary user action. Because direct radio-layer and RF-cause visibility is weaker on iOS, the defender emphasizes device posture, application wake or foreground behavior during service loss, protected network-policy stability, and downstream failure patterns observed in VPN or proxy telemetry.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "iOS:MDMLog", "channel": "Managed Wi-Fi, VPN, cellular, or location-service policy remains unchanged while device connectivity repeatedly degrades" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "iOS:MDMLog", "channel": "No user-initiated airplane mode or radio-related setting change occurred while applications experience repeated network unavailability" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "MobileEDR:telemetry", "channel": "Network- or location-dependent app capability state remains unchanged while the app experiences sustained communication failure" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Maximum span for correlating app activity, posture stability, and repeated network failure into a single denial event." }, { "field": "SupervisedOnly", "description": "Whether the analytic should only apply to supervised devices with high-confidence MDM policy telemetry." }, { "field": "AllowedAppList", "description": "Apps expected to retry aggressively or queue offline work during routine coverage degradation." }, { "field": "ForegroundStateRequired", "description": "Whether the app should be foreground or recently active for the analytic to be treated as high confidence." }, { "field": "RecentUserInteractionWindow", "description": "Time threshold for determining whether the denial occurred during active user use versus background idle periods." }, { "field": "FailureBurstThreshold", "description": "Threshold for repeated session failures, resets, timeouts, or DNS failures within the correlation window." }, { "field": "ExpectedCoverageZones", "description": "Known sites or geographies where benign poor service should be baseline-adjusted." }, { "field": "TrustedDestinationAllowList", "description": "Expected enterprise destinations whose temporary maintenance or outage should not be treated as device-targeted denial." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--1f1d8e33-293a-4ceb-a91c-0cf71c6805ea", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0700#AN1816", "external_id": "AN1816" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-18T16:14:55.614Z", "name": "Analytic 1816", "description": "The defender correlates repeated inbound retrieval and outbound submission activity by the same Android app identity to the same legitimate public web-service class within a short operational window, where the two-way exchange is inconsistent with the app's approved role, interaction model, or background behavior baseline. The strongest Android evidence is app-attributed communication to collaboration, social, cloud storage, code-hosting, messaging, or generic HTTPS platforms where requests that retrieve content are followed by app-attributed posts, uploads, document updates, API writes, or repeated small bidirectional exchanges, especially when they occur while the app is backgrounded, while the device is locked, without recent user interaction, or shortly after local staging or protected-resource access.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "AppState=background when bidirectional exchange with public web-service domain began and no foreground transition occurred between retrieval and outbound write" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "App identity performing bidirectional exchange was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for read/write operations" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between retrieval and outbound write over the same web-service class." }, { "field": "AllowedAppList", "description": "Approved app identities vary by organization, business unit, and device group." }, { "field": "AllowedServiceClasses", "description": "Some apps legitimately perform read/write operations against collaboration, storage, or messaging services." }, { "field": "AllowedReadWriteMappings", "description": "Defines which apps are expected to both retrieve and submit content to a given public service class." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close the bidirectional exchange must be to user activity to be considered expected." }, { "field": "BeaconIntervalTolerance", "description": "Allowed recurrence interval for repeated bidirectional exchanges varies by app type." }, { "field": "ForegroundStateRequired", "description": "Some apps should only perform read/write web interactions while foregrounded." }, { "field": "InboundOutboundRatioThreshold", "description": "Expected ratio of response size to outbound write size varies by legitimate app workflow." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0667#AN1762", "external_id": "AN1762" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-06T15:51:25.896Z", "name": "Analytic 1762", "description": "An application generates, imports, or accesses asymmetric keypairs (e.g., RSA/ECC), uses a public key to encrypt outbound data or establish encrypted sessions, and transmits resulting ciphertext in structured communication patterns. Detection correlates keypair lifecycle activity + asymmetric crypto API usage + data transformation + background execution context + network transmission, especially when inconsistent with expected application functionality.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Keypair generation, import, or access events (public/private key usage) occurring prior to network communication" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Asymmetric crypto operations occur while app_state=background OR device_locked=true OR no recent user interaction" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "App not in approved cryptographic or secure communication category performing keypair + encryption + transmission behavior" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between keypair usage and outbound communication" }, { "field": "AllowedCryptoApps", "description": "Apps expected to use asymmetric cryptography (e.g., secure messaging, VPN, enterprise auth apps)" }, { "field": "ForegroundStateRequired", "description": "Whether key generation/encryption should occur only during user interaction" }, { "field": "KeyGenerationThreshold", "description": "Frequency of keypair generation/import events considered anomalous" }, { "field": "PayloadSizeVariance", "description": "Expected variability in payload sizes due to asymmetric encryption overhead" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0598#AN1644", "external_id": "AN1644" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T20:30:18.846Z", "name": "Analytic 1644", "description": "Correlates (1) an application obtaining or maintaining elevated control mechanisms capable of resisting removal (device administrator, accessibility control, managed-owner posture), (2) user navigation into uninstall or application-management flows, and (3) immediate UI redirection, back-navigation injection, modal dismissal, or failed uninstall completion followed by continued app presence. Defender observes a causal chain where a removal attempt is actively disrupted and the target application remains installed.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "application enabled as device administrator, device owner, profile owner, or equivalent elevated management role before uninstall attempt" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "application granted accessibility service privileges capable of screen observation or global action invocation before removal attempt" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between uninstall UI entry, interference event, and continued install state" }, { "field": "ProtectedRoleSet", "description": "Set of elevated roles considered removal-resistant (device admin, owner modes, accessibility)" }, { "field": "GlobalActionSet", "description": "UI actions considered suspicious during uninstall flows (BACK, HOME, RECENTS)" }, { "field": "AllowedAccessibilityApps", "description": "Known legitimate accessibility services expected to use global actions" }, { "field": "UninstallRetryThreshold", "description": "Number of repeated uninstall attempts before escalation" }, { "field": "UplinkBytesThreshold", "description": "Outbound traffic threshold confirming continued meaningful activity after failed removal" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--28304317-cbde-45cd-bf0b-99b5cd8d1478", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0653#AN1738", "external_id": "AN1738" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-13T18:49:55.440Z", "name": "Analytic 1738", "description": "Detects conditional execution by correlating (1) application access to constrained environment signals such as location, locale, network context, device state, or user interaction timing, (2) prolonged inactivity or feature suppression despite available permissions, and (3) abrupt initiation of higher-risk behavior only when the expected target context is present. Because direct observation of some runtime decision logic is weaker on iOS, the defender relies more heavily on lifecycle, sensor, and downstream network effects following target-condition alignment.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "application remains inactive across normal execution windows and transitions into background or foreground activity burst only when qualifying device context, lock state, locale, or network condition exists" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "application has approved capabilities required for conditional execution (e.g., location/background modes) but observed behavior is deferred until target-specific state is present" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between context checks and guarded execution" }, { "field": "TargetContextSet", "description": "Expected environment properties used for gating, such as location region, locale, SSID/network context, device lock state, or user activity timing" }, { "field": "DormancyThreshold", "description": "Duration of inactivity before guarded behavior begins" }, { "field": "ExpectedBackgroundModes", "description": "Baseline of legitimate apps whose feature activation is context-dependent in background execution" }, { "field": "AllowedDestinationList", "description": "Expected destinations for apps whose network activity legitimately begins only in certain contexts" }, { "field": "UserInteractionThreshold", "description": "Acceptable recency of user interaction before guarded execution is considered suspicious" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0676#AN1778", "external_id": "AN1778" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T19:36:34.664Z", "name": "Analytic 1778", "description": "Defender correlates an app preparing to phish (gaining overlay/notification/accessibility capability) with precise foreground targeting (reading activity in front via accessibility/focus) and then presenting a look-alike UI (overlay window or activity-on-top) immediately before local storage or small-burst egress of entered data. Chain: capability/permission \u2192 target app in foreground detected \u2192 overlay/activity-on-top or fake notification tap \u2192 local prompt input write \u2192 near-term network egress.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "android:logcat", "channel": "Grant/enablement of SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, POST_NOTIFICATIONS for " }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "android:logcat", "channel": "addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over " }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "android:logcat", "channel": "startActivity on top of (launchMode/singleTop), task switch immediately after focus" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "CREATE/WRITE to /data/data//(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time from overlay/activity to persist/exfil (e.g., 5\u201360s)." }, { "field": "OverlayRequired", "description": "Require overlay evidence unless activity-on-top is observed (true/false)." }, { "field": "TargetPkgWatchlist", "description": "List of high-value target packages (banking, identity) to raise severity." }, { "field": "PersistPathRegex", "description": "Regex for local prompt data artifacts." }, { "field": "ExfilDomainAllowlist", "description": "Known-good analytics/CDN/service domains to suppress FPs." }, { "field": "UserContext", "description": "Work Profile/Kiosk mode/Accessibility allowlist to scope benign cases." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--2df1959e-8ec4-4193-9cb8-c089c78b4d1c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0637#AN1711", "external_id": "AN1711" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-08T20:14:18.733Z", "name": "Analytic 1711", "description": "The defender correlates foreground service start or promotion activity with persistent-notification presentation, long-lived application execution, and continued access to while-in-use sensors or network activity outside expected user-driven context. The analytic looks for an application invoking foreground service APIs, sustaining a foreground state longer than expected for its declared role, and retaining camera, microphone, location, or other sensor access while the device is locked, the app lacks recent interaction, or the notification identity/function does not match the application\u2019s behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Persistent foreground-service notification is created, updated, or remains visible while app behavior or notification identity is inconsistent with declared function during the persistence interval" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "MobileEDR:telemetry", "channel": "Foreground service continues accessing camera, microphone, location, or other while-in-use sensors after service promotion and outside recent user interaction" } ], "x_mitre_mutable_elements": [ { "field": "AllowedAppList", "description": "Apps legitimately expected to run foreground services such as navigation, fitness, calling, media playback, enterprise VPN, accessibility, or device-management apps" }, { "field": "AllowedServiceTypes", "description": "Approved foreground service types and role-to-type mappings, especially for Android 14+ and later" }, { "field": "ForegroundDurationThreshold", "description": "Duration a foreground service may legitimately remain active before suspicion increases" }, { "field": "SensorAfterPromotionWindow", "description": "Maximum expected delay between service promotion and sensor activation for legitimate workflows" }, { "field": "NotificationMismatchPatterns", "description": "Patterns indicating misleading or impersonating foreground notifications, such as benign-looking text or mismatched app function" }, { "field": "RecentInteractionThreshold", "description": "How recently the user must have interacted with the app for sensor or network activity to be considered expected" }, { "field": "UplinkBytesThreshold", "description": "Minimum sustained outbound volume or beacon frequency during persistent foreground execution" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--2f0ca83e-1318-4722-88b2-1bffedb5d127", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0643#AN1720", "external_id": "AN1720" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T18:13:22.436Z", "name": "Analytic 1720", "description": "From the defender view: an app accesses UIPasteboard contents, sometimes repeatedly, including in background or immediately after another app copies sensitive text. iOS 14+ shows user notifications when pasting cross-app; unified logs reflect pasteboard access, notification, and optional subsequent persistence/exfil. We correlate: pasteboard access \u2192 optional cross-app notification \u2192 local write (cache/DB) and/or network egress within a short window.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "iOS:unifiedlog", "channel": "UIPasteboard read (general/string/data) by ; repeated reads or background access" }, { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "iOS:unifiedlog", "channel": "\\\"has pasted from\\\" cross-app paste notification text containing source app name" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "iOS:unifiedlog", "channel": "CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "iOS:unifiedlog", "channel": "Foreground/background transition for to contextualize access timing" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time between pasteboard access \u2192 persist/exfil (e.g., 5\u201360s)." }, { "field": "MinReadBurst", "description": "Minimum reads within window to flag harvesting (e.g., \u22652)." }, { "field": "PersistPathRegex", "description": "Regex for paste dumps in app container." }, { "field": "ExfilDomainAllowlist", "description": "Allowlisted analytics/CDN endpoints." }, { "field": "ForegroundRequired", "description": "Require foreground state for benign use; flag background reads." }, { "field": "UserContext", "description": "Work profile/MDM policy state to scope alerts." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--2f2ed160-9093-4b1f-b781-8660552bf1e5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0648#AN1729", "external_id": "AN1729" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-13T19:20:39.637Z", "name": "Analytic 1729", "description": "Correlates (1) application possession and use of location authorization sufficient for ongoing geographic evaluation, (2) repeated location or region-monitoring behavior with limited visible feature activation outside target area, and (3) abrupt onset of network communication, background execution, or feature activation only after a qualifying location context is reached. Because direct visibility into every geofence callback is often weaker on iOS, the defender relies more heavily on the combination of location authorization state, repeated location access, app state transition, and downstream behavior that begins after region alignment.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "application authorized for when-in-use or always location access and, where relevant, background execution capability sufficient for continued geographic evaluation before later guarded behavior" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between location access, region qualification, and guarded activity" }, { "field": "AuthorizationMode", "description": "Expected risk weighting for when-in-use versus always authorization and whether background behavior occurs under that mode" }, { "field": "RegionMatchThreshold", "description": "Defines geospatial or dwell-time threshold used to infer region-based activation" }, { "field": "DormancyThreshold", "description": "Duration of inactivity or suppressed behavior before location-qualified activation" }, { "field": "ExpectedBackgroundModes", "description": "Baseline of apps legitimately using location-driven background execution or region monitoring" }, { "field": "AllowedDestinationList", "description": "Expected destinations for apps whose network activity legitimately depends on user location" }, { "field": "UserInteractionThreshold", "description": "Acceptable recency of user interaction before post-location activation is considered suspicious" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--31542445-39c5-4ae9-806f-09649581056a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0642#AN1718", "external_id": "AN1718" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-13T18:10:00.568Z", "name": "Analytic 1718", "description": "Correlates (1) application interaction with elevation control mechanisms (e.g., Accessibility Service, Device Admin, overlay permissions, package installer flows), (2) rapid transition to elevated capability state without expected user interaction patterns, and (3) immediate privileged actions such as sensor access, UI manipulation, or background persistence. The defender observes a causal chain where an application gains elevated privileges through abuse of system-controlled consent flows and subsequently performs actions inconsistent with normal user-driven authorization.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "application granted high-risk permission or special access (AccessibilityService, SYSTEM_ALERT_WINDOW, DeviceAdmin) with abnormal grant pattern (e.g., no recent user interaction or rapid sequence of grants)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Defines correlation window between permission grant and privileged behavior" }, { "field": "HighRiskPermissionSet", "description": "List of permissions or access types considered high-risk (Accessibility, Device Admin, overlay)" }, { "field": "UserInteractionThreshold", "description": "Defines acceptable proximity of user interaction to permission grant" }, { "field": "AllowedAppList", "description": "Baseline of legitimate apps expected to use high-risk permissions" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0653#AN1737", "external_id": "AN1737" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-13T18:45:30.914Z", "name": "Analytic 1737", "description": "Correlates (1) application access to device- or environment-specific attributes used to validate target conditions, (2) suppression of sensitive behavior until those attributes match an expected value, and (3) immediate transition into protected actions such as sensor use, file access, or network communication only after the condition is satisfied. The defender observes a causal chain where an app repeatedly evaluates device state or environment context and withholds execution until a target-specific match occurs.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "application holds permissions enabling environment validation (e.g., location, phone state, nearby device/network context) and subsequently delays protected activity until qualifying values are present" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between environment checks and subsequent guarded execution" }, { "field": "TargetAttributeSet", "description": "Environment attributes treated as likely guardrail inputs, such as locale, geolocation, carrier, Wi-Fi identity, device model, or lock state" }, { "field": "DormancyThreshold", "description": "Amount of suppressed or low-activity runtime before sensitive behavior begins" }, { "field": "AllowedAppList", "description": "Baseline of legitimate apps expected to evaluate environment attributes before conditional feature activation" }, { "field": "ForegroundStateRequired", "description": "Whether guarded execution is only suspicious when activated from background or without recent user interaction" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound traffic volume used to distinguish meaningful guarded execution from benign telemetry" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--3307605e-f2ac-4cfb-be12-5d880e1bfa11", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0666#AN1760", "external_id": "AN1760" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1760", "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "Sensor Health", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--332065d4-9895-485b-8674-756f4d3fab7c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0660#AN1750", "external_id": "AN1750" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1750", "description": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--369938c8-6b9e-4eb3-8105-eb76a373dc35", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0641#AN1717", "external_id": "AN1717" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-01T15:39:38.487Z", "name": "Analytic 1717", "description": "Indirect evidence of application-layer encrypted channel usage inferred through anomalous background processing and network transmission patterns following application activity, where encryption operations are not directly observable. Detection correlates background execution + network behavior + application entitlement posture to identify misuse of encrypted communication channels.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between background processing and network transmission" }, { "field": "AllowedAppList", "description": "Apps expected to use encrypted communication channels" }, { "field": "EntropyThreshold", "description": "Threshold for identifying encoded/encrypted payloads" }, { "field": "BeaconIntervalVariance", "description": "Tolerance for periodic communication patterns" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--36ca4ab8-1a16-4989-89e6-8d20c514c8c7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0623#AN1688", "external_id": "AN1688" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1688", "description": "Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \nApplication vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. \nOn both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "name": "Network Traffic", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--36cb5f92-996c-42f4-be7e-43c5e21eee2e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0682#AN1788", "external_id": "AN1788" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-18T18:06:39.579Z", "name": "Analytic 1788", "description": "Defender observes an app (package/UID) issuing high-rate directory or content-index enumerations against external/shared storage or other apps\u2019 Documents/Media providers (logcat:ContentResolver, logcat:StorageAccessFramework), followed within a short window by bulk READ handles or stat/list calls over many distinct paths (logcat:FileIO). Activity occurs without foreground UI or exceeds typical per-app baseline, indicating automated file/dir discovery rather than user-driven browsing. Correlate on package/UID/profile and time proximity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "android:logcat", "channel": "ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background" }, { "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "name": "android:logcat", "channel": "READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:logcat", "channel": "READ_EXTERNAL_STORAGE / MANAGE_EXTERNAL_STORAGE permission present or toggled at runtime" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Time window to correlate API queries with file listings (e.g., 30\u2013300s)." }, { "field": "MinDistinctPaths", "description": "Minimum unique paths accessed to qualify as discovery (e.g., \u226550)." }, { "field": "BackgroundOnly", "description": "Require app to be backgrounded to reduce user-driven noise." }, { "field": "TargetPathRegex", "description": "Scope to enterprise-relevant locations (e.g., /Documents, /Android/media/)." }, { "field": "AllowlistedPackages", "description": "Backup/DLP/security apps expected to enumerate broadly." }, { "field": "ProfileScope", "description": "Limit to Work Profile to reduce personal data noise." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--3723c7a3-2ea7-455f-aec5-29300cb7ae64", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0614#AN1669", "external_id": "AN1669" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T17:32:52.483Z", "name": "Analytic 1669", "description": "A defender correlates navigation to external web content in a browser or embedded WebView with immediate script-heavy or exploit-preparation network activity, followed by abnormal browser/WebView process behavior, suspicious file or download artifacts, or rapid post-visit capability shifts such as new package install attempts, overlay prompts, permission requests, or outbound command traffic inconsistent with normal browsing.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "New permission prompt, package install attempt, accessibility/overlay special access request, or other post-browse capability escalation following browser/WebView activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "MobileEDR:telemetry", "channel": "Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior" } ], "x_mitre_mutable_elements": [ { "field": "NavigationToExploitWindow", "description": "Time window used to correlate web navigation with redirects, fingerprinting, downloads, or post-visit capability changes." }, { "field": "AllowedBrowserApps", "description": "Allow-list of expected browsers or sanctioned WebView-hosting apps used in the enterprise." }, { "field": "RedirectChainThreshold", "description": "Threshold for suspicious number of redirects or cross-domain hops during a single browsing session." }, { "field": "NewDomainBurstThreshold", "description": "Threshold for the number of newly observed domains contacted in a short browsing window." }, { "field": "DownloadArtifactThreshold", "description": "Threshold for suspicious downloaded or cached artifacts created after navigation." }, { "field": "PostVisitCapabilityShiftRequired", "description": "Determines whether to require a new install/prompt/permission/overlay event after browsing to raise confidence." }, { "field": "AllowedAdTechDomains", "description": "Baseline of normal advertising/CDN/tracking domains to reduce false positives from legitimate browsing." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--384bbe3f-bb48-4bf3-927e-3a95d13eae82", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0623#AN1687", "external_id": "AN1687" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1687", "description": "Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \nApplication vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. \nOn both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "name": "Network Traffic", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--38e2eb61-e650-4cdc-8f27-213b39499d34", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0674#AN1774", "external_id": "AN1774" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-23T17:29:42.280Z", "name": "Analytic 1774", "description": "OLD: \nApplication vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. \nOn both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. \n\nNEW:\nA defender observes an Android application requesting for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR`, which may also be listed in the application\u2019s Manifest.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "Invocation of Calendar.set() and Calendar.add()" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog ", "channel": "Application granted or retaining the READ_CALENDAR or WRITE_CALENDAR permissions. " } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--3d12c26c-740d-4393-9659-52a424586b20", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0688#AN1799", "external_id": "AN1799" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1799", "description": "If the user sees a notification with text they do not recognize, they should review their list of installed applications.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--3fe80400-0e8c-4ffa-8233-cebf7511613c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0652#AN1735", "external_id": "AN1735" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1735", "description": "Application vetting services may detect when an application requests permissions after an application update.\nApplication vetting services may look for indications that the application\u2019s update includes malicious code at runtime. \nApplication vetting services may be able to list domains and/or IP addresses that applications communicate with.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--40066e48-f70c-4fbb-a2cf-d7a385171edb", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0702#AN1820", "external_id": "AN1820" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-24T17:35:08.607Z", "name": "Analytic 1820", "description": "Defender observes anomalous access to remote device management or enterprise mobility management control planes followed by device-state queries, location requests, or management actions inconsistent with user role, historical behavior, or device ownership context.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", "name": "saas:MDM", "channel": "Authentication events to device management or enterprise mobility management consoles" }, { "x_mitre_data_component_ref": "x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac", "name": "saas:MDM", "channel": "Device lookup, location query, or remote management operation" } ], "x_mitre_mutable_elements": [ { "field": "RoleDeviationThreshold", "description": "Defines acceptable variance between user privileges and management actions" }, { "field": "GeoAccessAnomalyThreshold", "description": "Baseline deviation tolerance for management console access locations" }, { "field": "DeviceOwnershipBaseline", "description": "Expected mapping of users to managed devices" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--413bdb56-913d-42e0-978e-5a48c60f562e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0615#AN1672", "external_id": "AN1672" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1672", "description": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--421fc6dc-1275-4eca-9950-150ad27d9bfd", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0686#AN1795", "external_id": "AN1795" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-23T22:55:59.738Z", "name": "Analytic 1795", "description": "OLD: Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.\n\nNEW: A defender observes an Android application requesting for `android.permission. READ_SMS` and/or ` android.permission. RECEIVE_SMS `, which may also be listed in the application's manifest file. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Application granted or retaining the READ_SMS or RECEIVE_SMS permission." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--427fe5c7-1b91-4d71-ae2c-6840d128f0bd", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0668#AN1764", "external_id": "AN1764" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-24T17:47:35.979Z", "name": "Analytic 1764", "description": "The defender correlates Android screen-capture-capable behavior from an app identity with runtime context showing that foreground content from another app is being captured outside expected user-driven workflows. The strongest Android evidence is MediaProjection-like capture initiation, accessibility-assisted observation of foreground UI content, or privileged screencap or screenrecord behavior, followed by screenshot or video artifact creation, buffer growth, or outbound transfer. The detection is strengthened when the capturing app is backgrounded, operates as a foreground service without clear user-driven recording intent, captures while another sensitive app is foregrounded, runs with accessibility or elevated access inconsistent with its role, or performs capture without recent user interaction.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Capturing app remained backgrounded or foreground-service-only while screen capture session occurred and another app was foregrounded during capture interval" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before screen capture session start and no expected foreground transition or consent-linked interaction occurred during capture interval" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Sensitive app category remained foregrounded during screen capture session from different app identity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "App identity performing screen capture had unapproved accessibility posture, capture-related special access, unmanaged state, or was not approved for screen recording or assistive observation workflows" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window linking capture-path invocation, foreground-app context, artifact creation, and optional upload." }, { "field": "AllowedAppList", "description": "Approved screen-recording, accessibility, remote-support, or QA/testing apps vary by organization and device group." }, { "field": "AllowedAccessibilityApps", "description": "Approved accessibility-enabled apps vary by assistive and enterprise workflow." }, { "field": "AllowedForegroundServiceCaptureApps", "description": "Some approved apps may legitimately use foreground services during screen recording." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close capture initiation must be to user interaction to be considered expected." }, { "field": "SensitiveForegroundAppCategories", "description": "Categories such as banking, identity, messaging, or enterprise apps may warrant higher sensitivity during capture." }, { "field": "ArtifactWriteThreshold", "description": "Minimum screenshot/video/cache write volume indicating probable screen-capture output." }, { "field": "UplinkBytesThreshold", "description": "Threshold for suspicious outbound transfer after capture." }, { "field": "ConsentInteractionGracePeriod", "description": "Grace period allowed for expected user consent or explicit initiation before capture is treated as suspicious." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--42ce5243-8859-49dc-b221-2674536063ff", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0716#AN1845", "external_id": "AN1845" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1845", "description": "The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--4476a312-d2c9-459e-96a3-53ac0b676c52", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0695#AN1808", "external_id": "AN1808" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-19T20:20:49.044Z", "name": "Analytic 1808", "description": "The defender correlates Android camera access by an app identity with app and device context showing that the capture is inconsistent with expected user-driven recording behavior. The strongest Android evidence is camera resource access followed by sustained capture duration, video or image artifact creation, buffer or cache growth, and optional outbound transfer, especially when the app is backgrounded, operating as a foreground service without visible user initiation, active while the device is locked, or capturing without recent user interaction. The detection is strengthened when the app is unmanaged, recently granted camera access, or not approved to record video.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "MobileEDR:telemetry", "channel": "Camera sensor access began from app identity and remained active for sustained capture interval in app context not mapped to approved video recording workflow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "MobileEDR:telemetry", "channel": "Camera sensor access occurred while AppState=background, foreground service active without visible user action, or DeviceLockState=locked during capture interval" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before camera session start and no foreground transition occurred during sustained capture interval" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "App identity performing camera session was unmanaged, recently granted camera permission, or not approved to use camera for video or interval image capture" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window linking camera access, lifecycle context, artifact creation, and optional network transfer." }, { "field": "CaptureDurationThreshold", "description": "Minimum sustained camera session duration considered unusual for the app role." }, { "field": "AllowedAppList", "description": "Approved camera-capable apps vary by organization, device group, and role." }, { "field": "ForegroundStateRequired", "description": "Some apps should only access the camera while visibly foregrounded." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close camera activation must be to user interaction to be considered expected." }, { "field": "AllowedBackgroundCaptureApps", "description": "Specific enterprise or accessibility workflows may legitimately capture while not foregrounded." }, { "field": "ArtifactWriteThreshold", "description": "Minimum media-buffer or file-write volume indicating probable video or burst-image capture." }, { "field": "UplinkBytesThreshold", "description": "Threshold for suspicious outbound transfer after capture." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--44d378d8-575b-41c8-b75c-375abcf3e2db", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0671#AN1769", "external_id": "AN1769" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1769", "description": "The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. \nCommand-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes. \nThe user is prompted for approval when an application requests device administrator permissions.\nApplication vetting services may detect API calls for deleting files. \nMobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "name": "Command", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0673#AN1773", "external_id": "AN1773" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-04T23:33:56.647Z", "name": "Analytic 1773", "description": "A defender observes an application with declared microphone capability initiating microphone resource use through iOS audio frameworks, potentially during background execution or shortly after a silent wake event, followed by sustained audio capture and outbound encrypted traffic suggesting audio streaming or upload activity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "MobileEDR:telemetry", "channel": "Microphone sensor activation or audio recording session initiated by application process" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "MobileEDR:telemetry", "channel": "Application writes audio buffer or recorded audio file into application storage directories" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "MobileEDR:telemetry", "channel": "Application transitions to background or executes while screen locked during microphone session" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Application installed with NSMicrophoneUsageDescription entitlement indicating microphone capability" } ], "x_mitre_mutable_elements": [ { "field": "ExpectedAudioAppsBaseline", "description": "Allow-list of legitimate applications expected to record audio on the device." }, { "field": "BackgroundWakeCorrelationWindow", "description": "Time window correlating background wake events with microphone activation." }, { "field": "MicSessionDurationThreshold", "description": "Minimum microphone recording duration considered suspicious." }, { "field": "MicToNetworkCorrelationWindow", "description": "Time window linking microphone activation to outbound network activity." }, { "field": "UplinkBytesThreshold", "description": "Threshold for outbound traffic volume indicating possible audio upload." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--462f9ed4-5b6b-4426-b383-cd331f2984c0", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0611#AN1665", "external_id": "AN1665" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-01T14:50:46.895Z", "name": "Analytic 1665", "description": "An application is granted or maintains notification listener access, observes notification content from other applications (including sensitive sources such as SMS/email/2FA apps), processes or stores notification payloads, and optionally suppresses or programmatically interacts with notifications (dismiss/action triggers) without corresponding foreground user interaction. Detection correlates special access permission state + notification event interception + application background state + downstream data use (local write or network transmission).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "NotificationListenerService enabled OR notification access granted to app not in enterprise-approved list" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Notification access event occurs while app_state=background AND device_state=locked OR no recent user interaction" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between notification interception and subsequent data write or network transmission varies by app behavior" }, { "field": "AllowedAppList", "description": "Enterprise-approved apps with legitimate notification access (e.g., accessibility tools, wearables)" }, { "field": "ForegroundStateRequired", "description": "Whether notification access is expected only when the app is foregrounded" }, { "field": "UplinkBytesThreshold", "description": "Threshold for small outbound payloads indicative of notification content exfiltration" }, { "field": "SensitiveSourceApps", "description": "Apps whose notifications are considered sensitive (SMS, email, authenticator apps)" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--4708044d-651a-40c7-a1b2-6d7f13d17d7d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0708#AN1831", "external_id": "AN1831" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1831", "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--4773bc29-5272-45d5-92bd-b24a34b16df6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0651#AN1734", "external_id": "AN1734" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T20:30:21.803Z", "name": "Analytic 1734", "description": "Correlates (1) application activity that creates, modifies, or accesses local artifacts relevant to detection or device compromise state, (2) subsequent deletion, alteration, renaming, relocation, or visibility suppression of those artifacts, including files, application presence, media, or root-compromise indicators, and (3) continued application execution, reduced telemetry quality, or outbound activity after the artifact state changes. The defender observes a causal chain where host-side evidence is first manipulated and expected visibility or reporting degrades while the initiating application remains active.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "device posture or compromise-state indicators change unexpectedly, including rooted or non-compliant status disappearance, after prior app or system activity suggesting persistence on device" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "managed application state changes unexpectedly through uninstall, disappearance from expected inventory, or install-state mismatch after prior suspicious activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between artifact change, visibility degradation, and continued execution or network activity" }, { "field": "ArtifactTypeSet", "description": "Types of host artifacts monitored for suspicious removal or alteration, such as files, installed-app presence, hidden media, or compromise markers" }, { "field": "ExpectedTelemetrySources", "description": "Baseline sources expected to continue reflecting artifacts or compromise state" }, { "field": "TelemetryGapThreshold", "description": "Threshold defining abnormal loss of artifact visibility or reporting continuity" }, { "field": "AllowedAppList", "description": "Legitimate apps expected to delete or alter artifacts as part of normal lifecycle or cleanup behavior" }, { "field": "UplinkBytesThreshold", "description": "Outbound traffic threshold used to confirm meaningful activity after indicator removal" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--4a7169fa-79d4-4724-ad55-6e9842b7cb94", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0627#AN1696", "external_id": "AN1696" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1696", "description": "On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. \nApplication vetting services can detect and closely scrutinize applications that utilize Device Administrator access.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--4b2e7e2d-e1be-4829-9011-53eb5eca3dc6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0643#AN1719", "external_id": "AN1719" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T18:06:40.461Z", "name": "Analytic 1719", "description": "From the defender view: an app registers a clipboard listener or calls ClipboardManager getters; the app is (a) foreground, (b) the default IME, or (c) abusing legacy paths. Shortly after each clipboard change, the app reads the primary clip repeatedly, optionally persists content (local file/DB) and/or exfiltrates it. We correlate: listener/clip-access \u2192 privilege/foreground confirmation \u2192 bursty reads \u2192 local write and/or network egress within a tight window.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by " }, { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "android:logcat", "channel": "Activity/Process state change (mFocusedApp, onResume/onPause) identifying as foreground" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "android:logcat", "channel": "Default IME active or bound to (InputMethodManager reports imeId=)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time between clip access \u2192 persist/exfil (e.g., 5\u201345s)." }, { "field": "MinReadBurst", "description": "Minimum reads per clipboard change to flag harvesting (e.g., \u22652)." }, { "field": "PersistPathRegex", "description": "Regex for files/DBs used to stash clipboard content in app container." }, { "field": "ExfilDomainAllowlist", "description": "Allowlisted domains to suppress false positives for analytics SDKs." }, { "field": "ForegroundRequired", "description": "Require foreground unless app is the default IME (true/false)." }, { "field": "UserContext", "description": "Work Profile/Developer Mode/Doze to scope alerts." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--4b4a369c-35aa-4389-a218-2034fb043041", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0667#AN1763", "external_id": "AN1763" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-06T15:53:14.197Z", "name": "Analytic 1763", "description": "Indirect evidence of asymmetric cryptographic channel usage inferred through key exchange-like network patterns and application background execution behavior, where direct observation of keypair operations is limited. Detection correlates app entitlement posture + background execution + asymmetric handshake patterns + subsequent encrypted communication.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between initial communication burst and steady encrypted traffic" }, { "field": "AllowedAppList", "description": "Apps expected to perform asymmetric key exchanges" }, { "field": "HandshakePatternThreshold", "description": "Threshold for identifying asymmetric handshake-like traffic patterns" }, { "field": "ForegroundStateRequired", "description": "Whether communication establishment should occur during user interaction" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--4cb75669-f88d-4374-be51-e4b99e22b64e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0669#AN1766", "external_id": "AN1766" }, { "source_name": "unit42_strat_aged_domain_det", "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.", "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/" }, { "source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1766", "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--4ce71d01-ba3b-4ed2-a615-766daa0ff144", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0658#AN1748", "external_id": "AN1748" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-06T18:43:26.902Z", "name": "Analytic 1748", "description": "A defender correlates an unexpected change in cellular subscription state (eSIM/SIM profile change, carrier/operator change, or sudden persistent loss of cellular service) with near-term disruption signals and a rapid increase in authentication-related network activity consistent with SMS verification or account recovery flows, suggesting the user\u2019s number has been ported to an adversary-controlled SIM/device (SIM swap impact).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "MobileEDR:telemetry", "channel": "Cellular service state transitions (in-service\u2192no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Managed device inventory change indicating cellular plan/eSIM profile updates (where available via supervised iOS + MDM reporting)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss" } ], "x_mitre_mutable_elements": [ { "field": "SupervisedInventoryAvailability", "description": "Tuning based on whether supervised iOS + MDM provides sufficient subscription/eSIM visibility; otherwise rely on agent + network signals." }, { "field": "ServiceLossDurationThreshold", "description": "Minimum persistent no-service duration required to reduce false positives from normal carrier fluctuations." }, { "field": "SwapCorrelationWindow", "description": "Time window to link subscription disruption with identity/auth network anomalies." }, { "field": "AuthTrafficSpikeThreshold", "description": "Threshold for suspicious increase in OTP/MFA/account recovery traffic relative to device/user baseline." }, { "field": "RoamingExpectedRegions", "description": "Tuning to reduce false positives when the user is traveling or roaming across carrier networks." }, { "field": "IdentityEndpointAllowList", "description": "Baseline list of expected identity endpoints (IdP, banking, crypto) for the device/user population" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--4d499685-2a71-4d66-8b44-fae780c3e998", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0624#AN1689", "external_id": "AN1689" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1689", "description": "Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--4ec34db8-7214-4059-925e-bdcd58bca391", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0717#AN1847", "external_id": "AN1847" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T16:13:11.156Z", "name": "Analytic 1847", "description": "The defender correlates application loading or invoking native libraries through JNI or NDK-backed execution paths with subsequent lower-level activity such as native thread creation, sensor access, file operations, or outbound network communication that is inconsistent with the app's declared role or recent user interaction. The analytic prioritizes defender-observable control-plane effects: native library load or JNI bridge use, transition into native execution context, and immediate post-load behavior occurring from background state, locked-device state, or non-baselined app categories.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Native library load or JNI-backed execution occurs while app_state=background or device_locked=true or recent_user_interaction=false during the execution phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Managed application without approved native-code role or expected high-performance/native dependency exhibits native execution behavior inconsistent with enterprise policy baseline" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between native library load, JNI/native execution, and follow-on behavior" }, { "field": "AllowedAppList", "description": "Apps legitimately expected to use native code, such as games, media, enterprise VPN, security tools, or performance-intensive apps" }, { "field": "AllowedLibraryPatterns", "description": "Expected native library names, paths, signing attributes, or packaging patterns for approved applications" }, { "field": "ForegroundStateRequired", "description": "Whether native execution should only occur during active user-driven workflows for a given app role" }, { "field": "LibraryPathPatterns", "description": "Environment-specific list of suspicious temporary, extracted, or dynamically staged native library locations" }, { "field": "PostLoadBehaviorThreshold", "description": "Minimum number or severity of suspicious actions after native load required to elevate confidence" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound volume after native execution to treat network activity as meaningful follow-on behavior" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--5044447d-dc82-4d74-ac8c-02e5559f374c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0616#AN1673", "external_id": "AN1673" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1673", "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--50a9f608-68aa-4bf2-b24d-2a22f2a96db4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0622#AN1685", "external_id": "AN1685" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1685", "description": "Application vetting services could look for misuse of dynamic libraries.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0651#AN1733", "external_id": "AN1733" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T20:30:22.993Z", "name": "Analytic 1733", "description": "Detects indirect evidence of host-side indicator removal by correlating (1) local artifact creation or compromise-state-relevant activity, (2) later disappearance, alteration, or reporting loss for those artifacts or state indicators, and (3) continued application or device activity under reduced visibility. Because iOS provides weaker direct visibility into some Android-style artifact and jailbreak-indicator manipulation patterns, the defender relies more on app-private artifact lifecycle changes, managed posture shifts, and continued runtime or network activity after expected evidence disappears.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between artifact disappearance, posture change, and continued activity" }, { "field": "ArtifactTypeSet", "description": "Host artifacts and state indicators monitored for suspicious removal, alteration, or disappearance" }, { "field": "ExpectedTelemetrySources", "description": "Baseline sources expected to continue exposing artifact presence or compromise-relevant state" }, { "field": "TelemetryGapThreshold", "description": "Threshold defining abnormal loss of artifact visibility or managed-state continuity" }, { "field": "ExpectedManagementChanges", "description": "Known legitimate posture or inventory changes that may remove or update artifacts" }, { "field": "UplinkBytesThreshold", "description": "Outbound traffic threshold used to confirm meaningful continued activity after indicator removal" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--52a370ec-dca2-45e0-bba7-7384816945e8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0645#AN1723", "external_id": "AN1723" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-11T16:02:58.868Z", "name": "Analytic 1723", "description": "A lock-state transition telemetry, special access or privileged interaction capability, security-sensitive framework use, and immediate downstream activity while the user-interaction context is weak or inconsistent. This yields stronger coverage on Android than iOS.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "android:MDMLog", "channel": "Biometric, credential, lockscreen, trust-agent, Smart Lock, or device-admin-related protected device configuration changed" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Application gains or is observed with elevated interaction capability such as accessibility, overlay, device admin, notification access, or other authentication-adjacent special access" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "pplication or service remains active, foregrounds, or overlays during device locked state or immediately at unlock transition with weak recent user interaction context" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Maximum allowed time between locked-state boundary, suspicious app/framework activity, and unlock transition." }, { "field": "AllowedAppList", "description": "Approved apps permitted to hold accessibility, overlay, device-admin, or other authentication-adjacent special access." }, { "field": "ForegroundStateRequired", "description": "Whether a benign authentication-adjacent app is expected to be visible in the foreground during unlock-related operations." }, { "field": "RecentUserInteractionWindow", "description": "Time threshold for treating the unlock as user-driven based on touch, motion, or interaction context." }, { "field": "ExpectedUnlockPopulation", "description": "User or device groups expected to use alternative lockscreen workflows, enterprise trust agents, or kiosk-like modes." }, { "field": "TrustedDestinationAllowList", "description": "Expected destinations contacted immediately after legitimate unlock by enterprise apps." }, { "field": "UplinkBytesThreshold", "description": "Threshold for suspicious immediate post-unlock outbound traffic." }, { "field": "SensorUseAllowList", "description": "Apps expected to access camera or other sensors near the authentication boundary." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--53491f5a-7062-41f0-a51d-07b52dc8192c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0604#AN1654", "external_id": "AN1654" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-16T22:10:25.735Z", "name": "Analytic 1654", "description": "The defender observes a device at activation, supervision, or enrollment time with unusual management-plane posture, inventory, or trust characteristics and then relies primarily on downstream network effects and device state inconsistencies rather than direct low-level process telemetry. On iOS, the most reliable sequence is supervision/attestation or inventory concern near first contact followed by network egress or protected-state behavior that is inconsistent with lock state, setup phase, or expected managed app activity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Supervised enrollment, activation, or inventory event reveals unexpected device property relationships, anomalous managed posture, unexplained configuration drift near first contact, or identity/inventory characteristics inconsistent with approved procurement baseline" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Managed app or device-originated network activity occurs while the device is locked or before expected managed app initialization sequence, inconsistent with expected background refresh baseline" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between enrollment/inventory concern and suspicious network activity." }, { "field": "SupervisedRequired", "description": "Most strong posture and inventory analytics require supervised iOS devices." }, { "field": "AllowedDestinations", "description": "Apple, MDM, update, enterprise, and managed SaaS destinations vary by organization." }, { "field": "BackgroundRefreshBaseline", "description": "Expected background network behavior varies by managed app set and policy." }, { "field": "ActivationGracePeriod", "description": "Benign activation, restore, and setup traffic can be noisy immediately after provisioning." }, { "field": "RecentUserInteractionWindow", "description": "Defines how recently the user must have interacted for activity to be considered expected." }, { "field": "InventoryDriftTolerance", "description": "Tuning for acceptable changes in inventory/configuration during upgrades or replacements." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--55699534-c11f-4f9b-8908-a0c7d59160fd", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0601#AN1648", "external_id": "AN1648" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-23T17:40:11.076Z", "name": "Analytic 1648", "description": "Defender correlates an app process performing a burst of OS/device attribute lookups (build, hardware, SDK level, system properties) with near-term execution branching (feature gating, module load, permission workflow changes) and/or immediate outbound communications, indicating environment evaluation used to shape follow-on actions.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Correlation window for system-info collection burst \u2192 outbound transmission (e.g., 60\u2013900s)." }, { "field": "MinSystemInfoSignals", "description": "Minimum number of distinct system-attribute reads/queries within window to count as \u2018broad fingerprinting\u2019 (tune to telemetry fidelity)." }, { "field": "DistinctAttributeThreshold", "description": "How many distinct attribute categories (build fields, cpu, locale, patch level, network identifiers) must be observed." }, { "field": "BackgroundOnly", "description": "If true, require the burst occurs while app is background to reduce noise from legitimate settings/about-device screens." }, { "field": "AllowlistedPackages", "description": "Legitimate device management, diagnostics, carrier services, and enterprise security apps expected to collect device inventory." }, { "field": "NewDomainWindowSeconds", "description": "Window for \u2018newly contacted domain\u2019 enrichment after fingerprinting burst." }, { "field": "SmallPostByteRange", "description": "Approximate payload size range used for \u2018fingerprint submit\u2019 heuristic (environment dependent)." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--5c280910-f7cf-4e7a-9b99-a592115dbc8b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0608#AN1659", "external_id": "AN1659" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1659", "description": "On Android, the user can review which applications can use premium SMS features in the \"Special access\" page within application settings. \nApplication vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--5c5225c4-2d35-431e-830d-ea1cc649c6ba", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0692#AN1804", "external_id": "AN1804" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-23T16:59:44.335Z", "name": "Analytic 1804", "description": "Defender observes an app/package attempting to enumerate running processes by triggering restricted process visibility mechanisms (e.g., repeated queries for running tasks/services, rapid iteration over process identifiers, or access attempts against /proc entries) that are atypical for its declared function and occur without an associated user-facing diagnostic workflow. The detection relies on correlating (1) OS/API calls or shell/system utility execution indicative of process listing or /proc traversal, (2) app privilege context (root, debug build, device owner/profile owner, accessibility/IME status), (3) background execution state, and (4) optional follow-on behaviors consistent with automated discovery (short bursts of local IPC probes, network beacons immediately after enumeration, or rapid targeting of specific high-value package/process names). The analytic should describe what is observable: repeated enumeration signals + privilege context + timing relationship, not the adversary\u2019s intent.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "android:logcat", "channel": "unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID" }, { "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "name": "auditd:SYSCALL", "channel": "attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Correlation window for enumeration \u2192 follow-on activity (e.g., 60\u2013600s)." }, { "field": "MinEnumerationSignals", "description": "Minimum count of process enumeration indicators to alert (tune by OS build and telemetry quality)." }, { "field": "ProcTraversalThreshold", "description": "How many distinct /proc paths opened within the window counts as enumeration (e.g., \u226550)." }, { "field": "BackgroundOnly", "description": "If true, require background state to reduce legitimate in-app diagnostics noise." }, { "field": "AllowlistedPackages", "description": "Legitimate security/diagnostic/MDM agents expected to inspect processes." }, { "field": "HighValueProcessNames", "description": "Process/package names of interest (e.g., security agents, banking apps) used only as enrichment, not a signature." }, { "field": "NetworkProbePorts", "description": "Ports considered a \u2018probe/beacon\u2019 after enumeration (53/80/443/etc.)." }, { "field": "PrivilegeEscalationGate", "description": "If true, increase severity when enumeration co-occurs with root/debuggable/jailbreak-like posture." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--5d07c07e-4cde-41b9-a03e-94be43ca9bb8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0692#AN1805", "external_id": "AN1805" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-23T17:10:37.953Z", "name": "Analytic 1805", "description": "Defender observes signals consistent with attempted process listing on iOS where modern OS protections generally prevent broad process enumeration for non-root apps. Detections therefore focus on: (1) feasibility gating via integrity/jailbreak posture, and (2) observable security/log anomalies consistent with attempts to query process tables or restricted system interfaces (e.g., repeated sandbox denials, suspicious sysctl-like access attempts, or abnormal use of private frameworks). Correlate integrity compromise indicators with repeated restricted-access events and optional follow-on behaviors (rapid targeting of specific bundles/services or immediate network beacons) to raise confidence that process discovery is occurring.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "MDM:DeviceIntegrity", "channel": "jailbreak/root compromise indicators or integrity attestation failures enabling process visibility" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "iOS:unifiedlog", "channel": "repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "iOS:unifiedlog", "channel": "security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility)" } ], "x_mitre_mutable_elements": [ { "field": "IntegritySignalRequired", "description": "If true, alert only when integrity/jailbreak posture indicates process discovery is feasible." }, { "field": "MinSandboxDenials", "description": "Threshold for sandbox denials within a window to treat as sustained restricted-access attempts." }, { "field": "TimeWindowSeconds", "description": "Correlation window between integrity signals and sandbox/network events (e.g., 1\u201324 hours)." }, { "field": "AllowlistedBundles", "description": "Enterprise monitoring/networking apps that may generate benign sandbox noise." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--5e90ac48-345b-445a-877f-596737ad7efb", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0626#AN1693", "external_id": "AN1693" }, { "source_name": "Android_UnsafeURILoading_Sept2024", "description": "Android Developers. (2024, September 24). Webviews \u2013 Unsafe URI Loading. Retrieved March 2, 2026.", "url": "https://developer.android.com/privacy-and-security/risks/unsafe-uri-loading" }, { "source_name": "Android-AppLinks", "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", "url": "https://developer.android.com/training/app-links/index.html" }, { "source_name": "IETF-OAuthNativeApps", "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", "url": "https://tools.ietf.org/html/rfc8252" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-02T20:08:42.566Z", "name": "Analytic 1693", "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Defenders should validate the entirety of the URI. For example, the URI's scheme should be `https` and the URI's host should be on a list of trusted hosts.(Citation: Android_UnsafeURILoading_Sept2024)\n\nDevelopers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)\n\nOn Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "User Interface", "channel": "None" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--63e33566-c46c-45b8-acf1-247327b827e1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0632#AN1703", "external_id": "AN1703" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1703", "description": "Application vetting services could look for misuse of dynamic libraries.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--649ee05c-9f09-47fc-802a-7df2ce362563", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0607#AN1658", "external_id": "AN1658" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T20:52:16.713Z", "name": "Analytic 1658", "description": "The defender correlates managed-app process-launch or shell-like execution effects with subsequent file or network activity by the same app, then raises confidence when execution occurs in background context, without recent user interaction, or appears tied to command delivery or output exfiltration. Because direct Unix-shell observability is typically weaker on iOS and child processes remain constrained by the app sandbox, the analytic anchors on process-execution effects where available and then on lifecycle, file, and network side effects rather than assuming rich shell-parameter visibility in all environments.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "MobileEDR:telemetry", "channel": "Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between shell-like execution indication, process effects, and follow-on file or network behavior" }, { "field": "AllowedAppList", "description": "Managed apps legitimately expected to perform debugging, remote support, or enterprise automation tasks" }, { "field": "AllowedProcessPatterns", "description": "Expected helper-process or process-launch patterns for approved managed apps" }, { "field": "ForegroundStateRequired", "description": "Whether shell-like execution should occur only during active user-driven workflows" }, { "field": "ArtifactPathPatterns", "description": "Expected temporary or output file locations for approved app behavior" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound volume after shell-like execution to treat network behavior as meaningful" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--66adf2b9-42aa-401f-8bc3-3830854017ee", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0625#AN1691", "external_id": "AN1691" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1691", "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--6852479f-7c3d-4c69-82b9-b5b9976e4101", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0630#AN1701", "external_id": "AN1701" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-13T18:17:45.586Z", "name": "Analytic 1701", "description": "Correlates (1) activation of Device Administrator privileges by an application, (2) absence or mismatch of legitimate user interaction during the approval flow, and (3) immediate execution of administrator-level control actions (e.g., password reset, device lock, policy enforcement, prevention of uninstall). The defender observes a causal chain where an application transitions into a privileged device control role and rapidly exercises those capabilities outside expected user-driven patterns.\n\nApplication vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "application granted Device Administrator privilege + abnormal activation pattern (e.g., rapid enablement after install or no recent user interaction)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Defines correlation window between Device Admin activation and subsequent privileged actions" }, { "field": "AllowedAdminApps", "description": "Baseline of legitimate applications expected to request Device Administrator privileges (e.g., enterprise MDM agents)" }, { "field": "UserInteractionThreshold", "description": "Defines acceptable timing between user interaction and admin activation" }, { "field": "PrivilegedActionSet", "description": "List of high-risk DevicePolicyManager API actions monitored for abuse" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--6a3e1244-3832-4523-81bc-56598a280b16", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0683#AN1790", "external_id": "AN1790" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1790", "description": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--6a60d1be-ab95-46d2-91a7-01703553090e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0615#AN1671", "external_id": "AN1671" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1671", "description": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--6bd50b74-5852-4800-b459-1c54d95348e3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0635#AN1708", "external_id": "AN1708" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-23T23:00:36.132Z", "name": "Analytic 1708", "description": "OLD: Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS.\nApplication vetting services may look for `MANAGE_ACCOUNTS` in an Android application\u2019s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.\n\nNEW: A defender observes an Android application invoking the AccountManager API. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "Invocation of AccountManager.getAccounts()" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--6c776c7a-0e2f-4963-9485-aa90149ae68e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0650#AN1732", "external_id": "AN1732" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-01T16:04:16.642Z", "name": "Analytic 1732", "description": "Indirect evidence of symmetric cryptographic channel usage inferred through repeated structured encrypted network transmissions and background processing patterns, where direct observation of symmetric crypto operations is limited. Detection correlates application background execution + consistent encrypted payload patterns + app entitlement posture to identify misuse of symmetric encryption for command and control.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between background execution and network transmission" }, { "field": "EntropyThreshold", "description": "Threshold for detecting encrypted payloads" }, { "field": "BeaconIntervalVariance", "description": "Tolerance for periodic encrypted communication" }, { "field": "AllowedAppList", "description": "Apps expected to exhibit encrypted communication patterns" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--6d2d8aff-7d23-40bc-bc29-54852baed5f1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0663#AN1756", "external_id": "AN1756" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-23T17:58:13.523Z", "name": "Analytic 1756", "description": "Defender observes a mobile device engaging remote or internal services with traffic characteristics inconsistent with normal application behavior, followed by execution anomalies, application instability, or security context deviations consistent with exploitation effects.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Connections", "channel": "Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns" }, { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "iOS:unifiedlog", "channel": "Application crash logs, watchdog terminations, or abnormal execution events associated with service communication" } ], "x_mitre_mutable_elements": [ { "field": "TrafficDeviationThreshold", "description": "Defines acceptable protocol and payload variation" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0702#AN1821", "external_id": "AN1821" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-24T17:34:54.559Z", "name": "Analytic 1821", "description": "Defender observes anomalous authentication or session activity targeting remote device management services followed by device-tracking queries, device-state requests, or remote actions inconsistent with established user-device relationships or operational patterns.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", "name": "saas:MDM", "channel": "Authentication events to Apple iCloud or enterprise device management services" }, { "x_mitre_data_component_ref": "x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac", "name": "saas:MDM", "channel": "Device lookup, location query, or remote management operation" } ], "x_mitre_mutable_elements": [ { "field": "UserDeviceRelationshipDeviation", "description": "Defines acceptable deviation from known user-device mappings" }, { "field": "SessionAnomalyThreshold", "description": "Baseline deviation tolerance for management sessions" }, { "field": "QueryFrequencyThreshold", "description": "Threshold for excessive device tracking or lookup activity" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--6f77061e-d663-487d-bfca-cd1e1f1d24d7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0679#AN1783", "external_id": "AN1783" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1783", "description": "Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.\nOn both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--6fb4668b-9c70-44d2-87a3-43ff2dc699f2", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0720#AN1851", "external_id": "AN1851" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-16T16:27:24.678Z", "name": "Analytic 1851", "description": "Defender correlates a sandboxed app writing high-entropy or encoded artifacts (often in app-private or shared storage), performing decode/decompress/reassembly, then dynamically loading/execing the resulting code (DexClassLoader/JNI dlopen) or spawning a helper process. Sequence: high-entropy file writes \u2192 decode/unpack bursts \u2192 new .dex/.so/.jar creation in temp/obfuscated paths \u2192 dynamic load or shell spawn within a tight window.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data//files/, /sdcard/Download/) and high estimated entropy" }, { "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "name": "android:logcat", "channel": "DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file" }, { "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "name": "android:logcat", "channel": "Short burst of file I/O followed by JNI/dlopen of a newly created .so" }, { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "android:logcat", "channel": "SELinux AVC related to execute_no_trans/execmem after decode/unpack activity by the same app UID" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max interval to correlate write\u2192decode\u2192load stages (e.g., 5\u201360s depending on device performance)." }, { "field": "PayloadEntropyThreshold", "description": "Shannon entropy threshold to flag likely obfuscated blobs (e.g., \u2265 7.2)." }, { "field": "SuspiciousWriteDirs", "description": "Directories to monitor (e.g., app /files, cache, /sdcard/Download). OEMs vary." }, { "field": "ChunkCountThreshold", "description": "Minimum count of small sequential writes (split payload reassembly)." }, { "field": "NetworkCDNAllowlist", "description": "Benign CDNs/hosts for large opaque downloads to reduce FPs." }, { "field": "ExecPathRegex", "description": "Regex for newly loaded .dex/.so/.jar/temp artifacts." }, { "field": "UserContext", "description": "Foreground/background or developer mode context to suppress test noise." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--7179bc7d-a2be-4ded-8c4f-88ec8f73e613", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0705#AN1826", "external_id": "AN1826" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T18:41:55.176Z", "name": "Analytic 1826", "description": "Defender observes an app enabling or using input-capture surfaces (custom keyboard extension with Full Access, abnormal UI text entry interception, pasteboard polling adjacent to login screens), then persisting and/or exfiltrating captured input. Chain: capability/consent (TCC for keyboard Full Access or input privacy domains) \u2192 intercept behavior (keyboard extension active, repeated text field \u2018editingChanged\u2019/secure entry focus, background pasteboard reads) \u2192 local write \u2192 near-term egress.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "iOS:unifiedlog", "channel": "Keyboard extension Full Access change; privacy grant touching input/keyboard categories for " }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "iOS:unifiedlog", "channel": "UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "iOS:unifiedlog", "channel": "CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time from intercept to persist/exfil (e.g., 5\u201360s)." }, { "field": "MinKeyEventBurst", "description": "Minimum key/commit or editingChanged count to flag harvesting (e.g., \u226510)." }, { "field": "KeyboardFullAccessRequired", "description": "Require keyboard Full Access to escalate severity (true/false)." }, { "field": "PersistPathRegex", "description": "Regex for keylog/clipboard dump files." }, { "field": "ExfilDomainAllowlist", "description": "Known-good enterprise/analytics endpoints." }, { "field": "UserContext", "description": "Foreground state, Focus modes, MDM policy." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--71fc481d-53f9-4a35-9879-e01e17f425f0", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0629#AN1700", "external_id": "AN1700" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1700", "description": "Network traffic analysis may reveal processes communicating with malicious domains. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--7247d454-c307-417a-90c7-a15452d0d83e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0659#AN1749", "external_id": "AN1749" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1749", "description": "No standard detection method currently exists for this technique.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--72604d06-ac1b-4d57-adb4-f303f2f82055", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0681#AN1787", "external_id": "AN1787" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1787", "description": "The user can view permissions granted to an application in device settings. \nApplication vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--729a7413-3c5b-4637-a97b-9bba9f7734a7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0613#AN1667", "external_id": "AN1667" }, { "source_name": "unit42_strat_aged_domain_det", "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.", "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/" }, { "source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1667", "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--739bd746-e98b-45cb-8bc6-3c8876745b4a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0720#AN1852", "external_id": "AN1852" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T17:05:14.514Z", "name": "Analytic 1852", "description": "Defender correlates a sandboxed app downloading or receiving opaque/encoded blobs, writing high-entropy content into container/tmp, performing decode/decompress/reassembly, and then executing/loaded as Mach-O or bundle (dlopen) or leveraging JIT/RWX pages to run the decoded payload. Sequence: opaque download or IPC \u2192 high-entropy writes/split-file bursts \u2192 decode/unarchive \u2192 new Mach-O/bundle in tmp \u2192 dlopen/posix_spawn or RWX region activity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "iOS:unifiedlog", "channel": "NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application//tmp|Library/Caches)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "iOS:unifiedlog", "channel": "Code signing validation events referencing newly written local Mach-O/bundle prior to exec or dlopen" }, { "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "name": "iOS:unifiedlog", "channel": "dyld: dlopen/dyld_cache load from non-standard app-writable path" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "iOS:unifiedlog", "channel": "Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max interval to link write\u2192decode\u2192load/exec (e.g., 5\u201345s depending on device and iOS version)." }, { "field": "PayloadEntropyThreshold", "description": "Entropy threshold to consider a file obfuscated/packed (e.g., \u2265 7.3)." }, { "field": "SplitWriteBurstMin", "description": "Minimum count of small sequential writes to flag reassembly behaviors." }, { "field": "AppContainerPaths", "description": "Container subpaths to monitor (tmp, Library/Caches, Documents) vary by policy." }, { "field": "KnownGoodBundles", "description": "Allowlist of legitimate dynamically loaded bundles/plugins to reduce FPs." }, { "field": "PerAppVPNAllowlist", "description": "Known enterprise services carrying opaque archives to avoid false alerts." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--758e4b0e-3564-4696-8d57-9e3d81198d52", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0716#AN1846", "external_id": "AN1846" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1846", "description": "The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--75a0da5c-9f2b-4e96-bb94-10c30f16a9a2", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0644#AN1721", "external_id": "AN1721" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T17:01:36.709Z", "name": "Analytic 1721", "description": "From the defender view: a sandboxed process receives/creates a high-entropy Mach-O/bundle or encrypted segment, performs in-memory decrypt/unpack (mmap/mprotect RW\u2192RX or RWX), optionally drops a transient image in app-writable dirs, then loads it through dyld/dlopen or spawns it. We correlate: (1) opaque blob write/arrival \u2192 (2) kernel memory protection changes \u2192 (3) dyld/dlopen from app-writable path or posix_spawn of a recently created image \u2192 (4) (optional) code-sign evaluation anomalies for the new image.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "iOS:unifiedlog", "channel": "Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files" }, { "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "name": "iOS:unifiedlog", "channel": "dlopen/image load from app-writable path (tmp, Caches) outside bundled resources" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Correlation window from write\u2192rwx\u2192load/exec (e.g., 5\u201345s)." }, { "field": "PayloadEntropyThreshold", "description": "Entropy to flag packed blobs (e.g., \u2265 7.3)." }, { "field": "RWXPageMinKB", "description": "Minimum RWX allocation size (e.g., \u2265 32KB)." }, { "field": "KnownJITAllowlist", "description": "Bundle IDs legitimately using JIT to avoid RWX false positives." }, { "field": "WritableLoadPathRegex", "description": "Regex for app-writable load paths (tmp, Caches) outside app bundle." }, { "field": "UnsignedExecPolicy", "description": "Tuning if enterprise/dev provisioning allows non-App Store binaries." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0649#AN1730", "external_id": "AN1730" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T16:22:36.406Z", "name": "Analytic 1730", "description": "The defender correlates anomalous application package replacement, update, or executable-content drift with subsequent execution under the trusted application's identity, especially when package metadata, signing lineage, install source, file integrity, or native/DEX component characteristics change without a corresponding trusted distribution path. The analytic prioritizes Android-observable control-plane effects: package install/update events, package hash or code-section drift, signer mismatch or lineage break, unexpected app process behavior after replacement, and optional near-term network or sensor activity inconsistent with the legitimate application's baseline.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Managed application package version, signer lineage, installer source, or app identity changes outside approved enterprise or store-mediated update workflow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Modified or newly replaced application begins execution or persists while recent_user_interaction=false or device_locked=true or launch context is inconsistent with expected user-driven update flow" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between package replacement, code drift, first launch, and follow-on behavior" }, { "field": "AllowedAppList", "description": "Applications legitimately expected to update frequently or use staged package delivery" }, { "field": "ApprovedInstallerSources", "description": "Expected install or update sources such as managed store, Google Play, or enterprise MDM" }, { "field": "AllowedSignerLineage", "description": "Approved signing certificates, rotation chains, and version lineage for managed apps" }, { "field": "AllowedPackagePaths", "description": "Expected package cache, installer, and app storage locations involved in legitimate updates" }, { "field": "IntegrityDriftThreshold", "description": "Degree of executable-content or metadata change tolerated before alerting" }, { "field": "ForegroundStateRequired", "description": "Whether package replacement and first launch should occur only during active user-driven workflows" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound volume after first execution of replaced app to treat post-compromise communication as meaningful" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--75eaee42-f7b5-4792-9611-74626bd98838", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0693#AN1806", "external_id": "AN1806" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T20:30:26.476Z", "name": "Analytic 1806", "description": "Correlates (1) application acquisition or use of elevated control paths capable of altering defensive tooling or protected system state, such as device administration, root-enabled modification, or security-setting manipulation, (2) direct changes to security-tool configuration, service state, package state, or protected enforcement settings such as SELinux-relevant files or security-app components, and (3) immediate degradation, suppression, or disappearance of expected security telemetry while the device and initiating application remain active. The defender observes a causal chain where a security control is modified first, then monitoring or protection weakens, and subsequent activity continues under reduced defensive visibility.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "device posture changes to rooted, non-compliant, weakened security state, or elevated control role becomes active before security-tool degradation" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "security-relevant application package state, enabled status, administrator state, or managed protection setting changes immediately before monitoring degradation" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between security-setting change, tool degradation, and subsequent continued activity" }, { "field": "CriticalToolSet", "description": "Security-relevant applications or components expected to remain enabled and reporting, such as mobile EDR, Play Protect-associated controls, or agent services" }, { "field": "TelemetryGapThreshold", "description": "Duration or volume threshold defining abnormal loss of expected security telemetry" }, { "field": "ProtectedSettingSet", "description": "Protected settings or files treated as suspicious if modified, including SELinux-relevant enforcement state or security-app configuration" }, { "field": "AllowedAdminApps", "description": "Legitimate applications or management agents allowed to modify security-relevant posture" }, { "field": "UplinkBytesThreshold", "description": "Outbound traffic threshold used to confirm continued meaningful activity during reduced defensive visibility" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--76cb5e62-9291-411d-90bf-57642b63f8b8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0622#AN1686", "external_id": "AN1686" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1686", "description": "Application vetting services could look for misuse of dynamic libraries.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--77c81bf1-beef-429a-a426-a716b489383a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0655#AN1742", "external_id": "AN1742" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T20:37:17.277Z", "name": "Analytic 1742", "description": "The defender correlates managed-app runtime behavior indicative of command or shell invocation with subsequent spawned process or shell-like execution effects, then raises confidence when the resulting activity produces local artifacts or network communication outside expected user context. Because direct shell-process visibility can be weaker on iOS in many enterprise deployments, the analytic anchors first on process-creation or lower-level OS API effects where mobile telemetry can observe them, then on lifecycle context and post-execution network or file behavior. Confidence is strongest when the same app shows command invocation followed by process execution and immediate follow-on effects.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "MobileEDR:telemetry", "channel": "Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor" }, { "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "name": "MobileEDR:telemetry", "channel": "Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between command-execution indication, process effects, and follow-on file or network behavior" }, { "field": "AllowedAppList", "description": "Managed apps legitimately expected to perform debugging, remote support, or enterprise automation tasks" }, { "field": "AllowedProcessPatterns", "description": "Expected process-launch or helper-execution patterns for approved managed apps" }, { "field": "ForegroundStateRequired", "description": "Whether command-execution behavior should occur only during active user-driven workflows" }, { "field": "ArtifactPathPatterns", "description": "Expected temporary or output file locations for approved app behavior" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound volume after command execution to treat network behavior as meaningful" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--79897090-662d-4118-b73a-145f79e31829", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0666#AN1761", "external_id": "AN1761" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1761", "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "Sensor Health", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0704#AN1824", "external_id": "AN1824" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-16T15:56:09.700Z", "name": "Analytic 1824", "description": "A legitimate-seeming app or update arrives through an expected or trusted distribution path, but the delivered application begins showing new entitlement exercise, background activity, framework use, sensor access, or network behavior inconsistent with its prior baseline or documented role. Because direct inspection of compromised dependencies or developer tooling is weaker on iOS, the defender emphasizes supervised-device app inventory, post-update behavior drift, new first-run or background patterns, and downstream communications that suggest compromised embedded libraries or manipulated build outputs.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "iOS:MDMLog", "channel": "Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Maximum span between install/version change and first suspicious post-delivery behavior." }, { "field": "SupervisedOnly", "description": "Whether the analytic should only apply to supervised devices with high-confidence managed app telemetry." }, { "field": "AllowedAppList", "description": "Approved apps expected to change capabilities, services, or destinations because of legitimate releases." }, { "field": "AllowedVersionChangeWindow", "description": "Grace period after an approved release during which limited behavior drift may be expected." }, { "field": "CapabilityDriftThreshold", "description": "Threshold for how much entitlement or capability drift is tolerated for a known app." }, { "field": "SensorDriftThreshold", "description": "Threshold for newly used sensors or privacy-sensitive resources tolerated for a known app." }, { "field": "ForegroundStateRequired", "description": "Whether certain behaviors should only be treated as suspicious when they occur without visible user interaction." }, { "field": "RecentUserInteractionWindow", "description": "Threshold for distinguishing autonomous post-update activity from normal user-driven first-run behavior." }, { "field": "DestinationAllowList", "description": "Expected domains, telemetry services, or APIs associated with approved app updates and known SDK behavior." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--7b4c77fd-f350-48ec-abce-aac3e35c939f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0618#AN1677", "external_id": "AN1677" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T17:21:52.654Z", "name": "Analytic 1677", "description": "From the defender\u2019s view: an app retrieves opaque code (DEX/SO/JAR/JS) over the network or IPC, writes it into an app-writable path, optionally performs verification-bypass behaviors (reflection, addJavascriptInterface exposure, or execmem friction), and then loads/executes that code via DexClassLoader/PathClassLoader, dlopen, or WebView bridge invocation within a short window. The analytic correlates Network Content \u2192 File Creation/Modification \u2192 OS API Execution (loader/syscall/SELinux friction) \u2192 Module Load (DexClassLoader/dlopen) and, for WebView paths, Application Log signals of JavaScript interface attachment.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "Create/write under /data/data//(files|cache)/ or /storage/emulated/0/ with extension .dex/.jar/.so/.zip/.tmp/.js and elevated entropy" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID" }, { "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "name": "android:logcat", "channel": "DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max correlation window between download \u2192 write \u2192 load (e.g., 10\u201360s depending on device/workload)." }, { "field": "ContentTypeList", "description": "List of MIME types considered \u2018code-like\u2019 (octet-stream, zip, java-archive, x-dex, x-sharedlib, javascript)." }, { "field": "WritablePathRegex", "description": "Regex for app-writable destinations to watch (/data/data//(files|cache)/, /storage/emulated/0/...)." }, { "field": "PayloadEntropyThreshold", "description": "Entropy cutoff to flag likely code blobs (e.g., \u2265 7.2)." }, { "field": "KnownGoodCDNAllowlist", "description": "CDNs/domains expected for legitimate updates to reduce FPs." }, { "field": "KnownGoodLoaderAllowlist", "description": "Bundles/libs known to legitimately load from writable paths (dev/test apps)." }, { "field": "JSInterfaceNameList", "description": "Names of allowed WebView JS interfaces for the org (e.g., analytics only)." }, { "field": "UserContext", "description": "Foreground/background, Work Profile, dev mode to scope alerts." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--7c96d701-391d-4904-b6ba-941344aaf059", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0706#AN1828", "external_id": "AN1828" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-19T19:41:30.977Z", "name": "Analytic 1828", "description": "The defender correlates managed-app or supervised-device outbound sessions where protocol indicators such as TLS handshake, HTTP semantics, or other application-layer behaviors are observed over destination ports outside the approved baseline for that protocol and bundle role. The strongest iOS evidence is network telemetry showing repeated or persistent sessions using recognizable application protocols over uncommon ports, particularly during background refresh, while the device is locked, or without recent user interaction. Because direct local runtime attribution is weaker than Android, the primary iOS analytic should be anchored on network protocol-versus-port mismatch plus supervised managed-app context and device-state enrichment.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "DeviceLockState=locked during outbound session using non-standard protocol-to-port pairing" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing" } ], "x_mitre_mutable_elements": [ { "field": "AllowedProtocolPortMappings", "description": "Approved protocol-to-port pairings vary by bundle, business workflow, proxy architecture, and enterprise policy." }, { "field": "SupervisedRequired", "description": "Strongest bundle-governance and protocol-port baseline analytics depend on supervised iOS devices." }, { "field": "AllowedManagedApps", "description": "Approved managed bundle identities vary by organization and device profile." }, { "field": "AllowedServiceClasses", "description": "Expected external service classes differ across managed app categories and enterprise mobile workflows." }, { "field": "TimeWindow", "description": "Correlation window linking non-standard-port sessions with lifecycle or local context signals." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close a session must be to user activity to be considered expected." }, { "field": "BeaconIntervalTolerance", "description": "Allowed recurrence interval for benign polling, sync, or persistent sessions differs by bundle type." }, { "field": "EnterpriseExceptionList", "description": "Known enterprise proxies, relays, developer tooling, and security products may legitimately use uncommon ports." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--7d2231b0-d62e-4d5f-bc26-99e7f14ec741", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0697#AN1812", "external_id": "AN1812" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-06T19:21:56.951Z", "name": "Analytic 1812", "description": "A defender correlates an application being granted accessibility service control with subsequent consumption of high-volume accessibility events, interaction with sensitive UI elements or text-entry fields, optional overlay/window presentation over other applications, and near-term local buffering or outbound network transmission, indicating abuse of accessibility features for input capture, credential theft, or automated interaction.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "MobileEDR:telemetry", "channel": "Application remains backgrounded while accessibility service continues to receive events or perform actions across other foreground apps" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity" } ], "x_mitre_mutable_elements": [ { "field": "AllowedAccessibilityApps", "description": "Allow-list of sanctioned accessibility-enabled apps in the environment, such as screen readers or approved assistive tools." }, { "field": "AccessibilityEventRateThreshold", "description": "Threshold for event volume or sustained event consumption indicating broad UI monitoring rather than limited assistive use." }, { "field": "SensitiveFieldCorrelationRequired", "description": "Determines whether detection should require correlation to text-entry fields, login screens, or password/credential UI contexts." }, { "field": "OverlayCorrelationWindow", "description": "Time window correlating accessibility activity with overlay/window presentation over other apps." }, { "field": "AccessibilityToNetworkWindow", "description": "Time window linking accessibility event capture or text change activity to outbound network communication." }, { "field": "BackgroundServiceAllowed", "description": "Tuning for whether background accessibility service activity is expected for approved assistive tools." }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound byte volume or burst count considered suspicious after accessibility event capture." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--7f84f2b8-6ef3-4167-b059-a455d7c40a7d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0621#AN1683", "external_id": "AN1683" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T17:51:41.189Z", "name": "Analytic 1683", "description": "Defender correlates an app escalating file visibility (permissions/flags, legacy storage modes) with enumeration of other apps\u2019 storage or exported ContentProviders, followed by bulk reads/copies from target paths (including shared/external storage) and optional archive/encode then share/upload. Sequence: storage capability/permission gain \u2192 target discovery (provider queries, directory listing) \u2192 high-volume cross-app data reads from writable/shared paths \u2192 archive/encode \u2192 exfil/share within a short window.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "android:logcat", "channel": "Runtime grant or manifest presence for MANAGE_EXTERNAL_STORAGE/READ_EXTERNAL_STORAGE/READ_MEDIA_*; legacy external storage mode detection" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "QUERY on exported ContentProviders of other packages (content:///*) or MediaStore scoped queries immediately preceding file reads" }, { "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "name": "android:logcat", "channel": "READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data//files/, /storage/emulated/0/Download//*)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Correlation window to tie discovery \u2192 reads \u2192 package \u2192 exfil (e.g., 15\u2013120s)." }, { "field": "ExternalStoragePathRegex", "description": "Regex for cross-app paths on external/shared storage to monitor." }, { "field": "SuspiciousProviders", "description": "List of exported/weakly-protected content providers under scrutiny." }, { "field": "MinBytesRead", "description": "Lower bound on cumulative read volume to avoid noisy single-file accesses." }, { "field": "ArchiveExtensions", "description": "Extensions considered packaging (.zip,.gz,.7z,.tar,.db copies)." }, { "field": "ExfilDomainAllowlist", "description": "Known good CDNs/APIs to reduce false positives." }, { "field": "UserContext", "description": "Foreground/background, Work Profile, developer mode to scope alerts." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--7f8717e8-fea8-42db-b60c-c64375630685", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0661#AN1752", "external_id": "AN1752" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T19:12:28.428Z", "name": "Analytic 1752", "description": "Defender correlates a custom keyboard extension activation (optionally with TCC \u2018Full Access\u2019) or abnormal UI text-entry interception with local keylog persistence and/or small egress. Chain: capability/consent (keyboard Full Access/TCC) \u2192 intercept (keyboard commit events or repeated secure text entry edits) \u2192 persist to container \u2192 near-term egress.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "iOS:unifiedlog", "channel": "Keyboard extension Full Access change or related privacy grant for " }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "iOS:unifiedlog", "channel": "Secure text entry focus and editingChanged bursts not typical for the app" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "iOS:unifiedlog", "channel": "CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time from intercept \u2192 persist/exfil (e.g., 5\u201360s)." }, { "field": "MinKeyEventBurst", "description": "Minimum keyboard commit or editingChanged events (e.g., \u226510)." }, { "field": "KeyboardFullAccessRequired", "description": "Require Full Access to elevate severity (true/false)." }, { "field": "PersistPathRegex", "description": "Regex for keylog artifacts under container paths." }, { "field": "ExfilDomainAllowlist", "description": "Allowlisted enterprise/analytics endpoints." }, { "field": "UserContext", "description": "Foreground state, Focus modes, MDM policy." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--8062d295-9d02-40c5-9ef9-135d08c07a22", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0676#AN1779", "external_id": "AN1779" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T19:53:20.408Z", "name": "Analytic 1779", "description": "Defender correlates a look-alike prompt inside an app (e.g., faux Apple ID password view, webview of brand login) with timing against scene/foreground activation, optional push notification bait, then local form cache writes and/or small egress. Chain: scene activation around sensitive UI \u2192 suspicious prompt creation (UIKit events without expected auth controller) or webview navigated to look-alike domain \u2192 local cache write \u2192 near-term egress", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "iOS:unifiedlog", "channel": "Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields" }, { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "iOS:unifiedlog", "channel": "Scene/foreground transitions for to contextualize timing" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "iOS:unifiedlog", "channel": "WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "iOS:unifiedlog", "channel": "CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time from prompt to persist/exfil (e.g., 5\u201360s)." }, { "field": "LookalikeDomainScore", "description": "Threshold for domain visual similarity (e.g., \u22650.85)." }, { "field": "PersistPathRegex", "description": "Regex for credential/form cache artifacts in container." }, { "field": "ExfilDomainAllowlist", "description": "Enterprise/analytics endpoints to suppress FPs" }, { "field": "UserContext", "description": "MDM policy, Focus mode, foreground requirement." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--81a49b9b-c8cf-438c-bea0-e09149f50b34", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0645#AN1724", "external_id": "AN1724" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-11T16:09:37.177Z", "name": "Analytic 1724", "description": "Defender correlates an iOS-specific reduced-confidence chain where a supervised or managed device transitions from locked or inactive state to interactive or application-active state with weak evidence of expected user authentication, often accompanied by abnormal protected posture change, trust-state change, unexpected app wake, sensor use, or immediate downstream communication. Because direct visibility into lockscreen bypass mechanics on iOS is limited, the analytic prioritizes strong device-state effects and post-unlock behavior rather than pretending to observe the exact bypass method.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "iOS:MDMLog", "channel": "Passcode, biometrics, attention-aware authentication, or supervised-device lock policy changed in a way that weakens or alters the authentication boundary" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Application wakes, becomes active, refreshes, or foregrounds immediately after locked or inactive state transition with weak recent user interaction" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Maximum allowed span between locked or inactive device state, suspicious app/service activity, and interactive transition." }, { "field": "AllowedAppList", "description": "Apps allowed to wake, foreground, or access protected resources near legitimate authentication events." }, { "field": "SupervisedOnly", "description": "Whether the analytic should only apply to supervised devices with high-confidence MDM policy telemetry." }, { "field": "RecentUserInteractionWindow", "description": "Time threshold for treating the transition as expected and user-driven." }, { "field": "ExpectedUnlockPopulation", "description": "User or device groups expected to use atypical enterprise lockscreen workflows, kiosk-like modes, or accessibility accommodations." }, { "field": "SensorUseAllowList", "description": "Apps expected to access camera or biometric-adjacent resources near the authentication boundary." }, { "field": "TrustedDestinationAllowList", "description": "Expected destinations contacted immediately after legitimate app activation post-authentication." }, { "field": "UplinkBytesThreshold", "description": "Threshold for suspicious immediate outbound traffic after suspicious unlock-adjacent activity." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--83b759ca-097c-4d9f-926b-fb41e0740644", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0675#AN1776", "external_id": "AN1776" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-04T23:46:03.218Z", "name": "Analytic 1776", "description": "Defender correlates an application gaining/retaining fine or background location capability with subsequent location sensor sessions that occur while the app is backgrounded or the device is locked, followed by repeated location reads at a periodic cadence and near-term outbound connections to domains not typical for fleet navigation/MDM services, indicating covert location tracking.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs" }, { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "EDR:telemetry", "channel": "Sustained or high-frequency location sensor access, including background location usage" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Application granted/retaining ACCESS_FINE_LOCATION and/or ACCESS_COARSE_LOCATION; background location capability present (ACCESS_BACKGROUND_LOCATION on Android 10+)" } ], "x_mitre_mutable_elements": [ { "field": "LocationSamplingFrequencyThreshold", "description": "Defines acceptable rate of location queries before triggering anomaly conditions" }, { "field": "BackgroundLocationPolicy", "description": "Baseline of legitimate background location usage across applications" }, { "field": "LocationToNetworkTimeWindow", "description": "Temporal linkage between location access and outbound traffic" }, { "field": "UserInteractionWindow", "description": "Maximum time since last user interaction before location access becomes suspicious." }, { "field": "AllowedLocationApps", "description": "Allow-list of expected location-heavy apps (maps, rideshare, fleet apps) for the enterprise device population" }, { "field": "DevicePolicySensitivity", "description": "Tuning for how aggressively to treat background location permission as risky depending on org policy." }, { "field": "AllowedDestinationsBaseline", "description": "Baseline of expected domains/IPs for legitimate location services (OEM, mapping SDKs, MDM endpoints) to reduce false positives." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0617#AN1675", "external_id": "AN1675" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-17T20:48:31.295Z", "name": "Analytic 1675", "description": "The defender correlates an app-attributed request to a legitimate public web platform with a subsequent outbound connection to a newly derived or previously unseen destination within a short time window. The behavior is strengthened when the initial request retrieves structured or encoded content followed by a pivot to a different domain or IP that was not previously contacted by the app, especially when occurring without user interaction, in background state, or immediately after app initialization or scheduled execution. This sequence reflects resolver retrieval followed by dynamic C2 resolution.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "AppState=background or foreground_service active when resolver retrieval request occurred and pivot connection followed without foreground transition" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before resolver retrieval and subsequent pivot connection sequence" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "App initiating resolver\u2192pivot sequence was unmanaged or not authorized to communicate with detected web-service class or external infrastructure" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Maximum allowed time between resolver retrieval and pivot connection (e.g., 5\u201360 seconds)." }, { "field": "NewDomainThreshold", "description": "Defines what qualifies as a previously unseen or rare destination for the app or device." }, { "field": "AllowedServiceToDestinationMapping", "description": "Legitimate mappings between apps and expected downstream services." }, { "field": "UserInteractionThreshold", "description": "Defines acceptable delay between user interaction and network activity." }, { "field": "PayloadSizeThreshold", "description": "Small resolver responses followed by larger pivot traffic can indicate extraction behavior." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--86aa8777-e12a-4dab-81ed-354bed18f3db", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0718#AN1848", "external_id": "AN1848" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T15:57:30.214Z", "name": "Analytic 1848", "description": "The defender correlates an application establishing outbound retrieval to a non-baselined external source with immediate local creation of a new executable, module, staged payload, overlay asset, or secondary file in app-controlled or shared storage, followed by optional load, invocation, handoff, or repeat retrieval behavior. The analytic prioritizes Android-observable effects: network download activity, DownloadManager or direct HTTP retrieval, file creation in package-specific or external paths, and execution context inconsistent with recent user interaction or the app\u2019s declared role.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Ingress transfer and local file creation occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Managed app without approved content-download, update, browser, or file-sync role performs remote payload retrieval and local tool staging" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between remote retrieval, local write, and any follow-on load or transfer completion" }, { "field": "AllowedAppList", "description": "Apps legitimately expected to download files such as browsers, enterprise app stores, backup/sync tools, or content delivery apps" }, { "field": "AllowedDestinationList", "description": "Approved software distribution, CDN, MDM, and enterprise update endpoints" }, { "field": "AllowedPathList", "description": "Expected local download, cache, and update paths for legitimate app behavior" }, { "field": "IngressBytesThreshold", "description": "Minimum inbound transfer size consistent with a staged secondary tool or payload" }, { "field": "ForegroundStateRequired", "description": "Whether file retrieval should occur only during active user-driven workflows" }, { "field": "FileTypeRiskPatterns", "description": "Environment-specific set of retrieved file classes considered suspicious such as apk, dex, jar, so, zip, html overlay, or opaque blob" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--87d2ccc4-f82e-493d-9c6f-03303253aec2", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0680#AN1784", "external_id": "AN1784" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-02T16:07:33.370Z", "name": "Analytic 1784", "description": "Defender observes an app enumerating installed security/management controls (AV/EDR/MDM/VPN/Play Protect) via PackageManager, DevicePolicyManager, AppOps, and Settings queries or shell \u2018pm list\u2019 usage, optionally probing Accessibility/Device Admin state. Enumeration is followed by local inventory artifact creation and/or small egress. Chain: capability to query \u2192 burst of security-focused checks (packages/permissions/policies) \u2192 optional foreground targeting \u2192 artifact write \u2192 quick POST.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks" }, { "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "name": "android:logcat", "channel": "Command 'pm list packages' executed by app sandbox or child proc" }, { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "android:logcat", "channel": "Reads/queries ops for PACKAGE_USAGE_STATS, QUERY_ALL_PACKAGES, BIND_DEVICE_ADMIN, BIND_VPN_SERVICE" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "android:logcat", "channel": "Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "CREATE/WRITE /data/data//(files|databases)/(security_inventory|policy_audit).*\\\\.(json|txt|db|plist)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time from discovery burst to persist/exfil (e.g., 10\u2013120s)." }, { "field": "MinEnumCount", "description": "Minimum API calls/rows indicating inventory (e.g., \u226530 in 10s)." }, { "field": "SecurityTargetsList", "description": "Regex/prefix list of AV/EDR/MDM/VPN packages & services to elevate severity." }, { "field": "PersistPathRegex", "description": "Regex for local inventory artifacts (DB/JSON/TXT) in app container." }, { "field": "ExfilDomainAllowlist", "description": "Allowlisted analytics/endpoints to suppress FPs." }, { "field": "WorkProfileOnly", "description": "Scope to Work Profile events to reduce personal-profile noise." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--89ee35d2-02ec-4c36-b51c-50e686eb3012", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0699#AN1815", "external_id": "AN1815" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T20:30:28.435Z", "name": "Analytic 1815", "description": "Correlates (1) continuous or repeated use of motion or interaction-inference signals that do not require overt user-facing privilege prompts, (2) suppression of higher-risk behavior while user presence or active handling is inferred, and (3) resumption of background execution, sensor use, local data handling, or network activity only when device interaction falls below a threshold. The defender observes a causal chain where an application senses user/device interaction state and intentionally gates malicious behavior to user-inactive periods.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "application reduces or halts operational activity during periods of active user interaction and resumes background execution or periodic work only during low-motion or idle intervals" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between motion-state inference and subsequent deferred execution" }, { "field": "IdleThreshold", "description": "Threshold defining when device motion or interaction is considered low enough to permit hidden execution" }, { "field": "InteractionSignalSet", "description": "Environment-specific set of motion or activity signals used to infer user presence" }, { "field": "AllowedAppList", "description": "Baseline of legitimate applications expected to use motion or activity sensing while also conditionally changing behavior" }, { "field": "ForegroundStateRequired", "description": "Whether suspiciousness increases when deferred activity starts from background or with no recent foreground interaction" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound traffic threshold used to distinguish meaningful deferred operation from benign maintenance traffic" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--8a463850-89e6-4de8-bd8d-20fd70dff959", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0656#AN1744", "external_id": "AN1744" }, { "source_name": "Android-AppLinks", "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", "url": "https://developer.android.com/training/app-links/index.html" }, { "source_name": "IETF-OAuthNativeApps", "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", "url": "https://tools.ietf.org/html/rfc8252" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1744", "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)\nOn Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--8c29fa0f-6b35-40c2-9c99-081a0997db86", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0661#AN1751", "external_id": "AN1751" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T18:53:00.289Z", "name": "Analytic 1751", "description": "Defender correlates an app acquiring input-capture capability (AccessibilityService enablement or default IME set) with high-frequency text-change/IME commit callbacks sourced from other packages, followed by local keylog persistence and/or small, immediate network egress. Chain: capability/permission \u2192 intercept (accessibility \u2018TYPE_VIEW_TEXT_CHANGED\u2019 or IME commitText/onStartInput bursts) \u2192 persist to container \u2192 near-term egress.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "android:logcat", "channel": "Grant/enablement for BIND_ACCESSIBILITY_SERVICE or BIND_INPUT_METHOD for " }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "android:logcat", "channel": "Default IME active imeId=; frequent onStartInput/commitText calls" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "CREATE/WRITE to /data/data//(files|databases)/(keys|inputs|clipboard).*\\\\.(db|sqlite|txt|log)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time between intercept \u2192 persist/exfil (e.g., 5\u201345s)." }, { "field": "MinKeyEventBurst", "description": "Minimum input events in window to flag (e.g., \u226510)." }, { "field": "RequireA11yOrIME", "description": "Only alert when capability is via Accessibility or IME (true/false)." }, { "field": "PersistPathRegex", "description": "Regex for keylog artifacts in app container." }, { "field": "ExfilDomainAllowlist", "description": "Enterprise/analytics endpoints to suppress FPs." }, { "field": "UserContext", "description": "Foreground/Work Profile/Kiosk to scope alerts." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--8e20de5b-1b9c-4443-a095-bcdd52ed161e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0619#AN1680", "external_id": "AN1680" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1680", "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--8f5e4bee-0677-41dd-89ad-8a467ae08eec", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0609#AN1661", "external_id": "AN1661" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1661", "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--90052e39-40c3-4194-a2a2-fc240639ab0f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0689#AN1800", "external_id": "AN1800" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-13T18:04:23.913Z", "name": "Analytic 1800", "description": "Correlates (1) modification or replacement of system runtime libraries or API resolution paths, (2) repeated invocation of hijacked APIs across multiple applications, and (3) inconsistent or suppressed outputs from those APIs compared to expected OS-enforced behavior. The defender observes a causal chain where system-level API behavior is altered, resulting in multiple applications exhibiting consistent anomalies in sensor access, permission checks, or system state reporting.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window across multiple applications invoking affected APIs" }, { "field": "SensitiveAPISet", "description": "Set of APIs monitored for integrity (e.g., location, telephony, permission checks)" }, { "field": "CrossAppConsistencyThreshold", "description": "Number of applications required to exhibit anomalous API behavior to trigger detection" }, { "field": "ExpectedAPIBaseline", "description": "Baseline of expected API return values or behavior patterns per device state" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9253e546-bc55-42c1-bf8c-b4337a1ea5b5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0656#AN1743", "external_id": "AN1743" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-02T17:41:17.052Z", "name": "Analytic 1743", "description": "Defender observes an OAuth/OIDC redirect (ACTION_VIEW) resolved to a non-allowlisted handler package (logcat:IntentResolver), followed within a short window by that same package accessing token material via AccountManager/Keystore or reading application token caches under /data/data//(shared_prefs|databases) (logcat:AccountManager, logcat:Keystore, logcat:FileIO). Correlate on package/UID/profile and time proximity to indicate token acquisition.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "ACTION_VIEW redirect_uri handled by unexpected package" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "android:logcat", "channel": "Task switch from browser/custom tab to handler immediately after OAuth return" }, { "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "name": "android:logcat", "channel": "KeyChain/AndroidKeyStore read of token alias" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max seconds between redirect handling and token access (e.g., 30\u2013180)." }, { "field": "RedirectUriAllowlist", "description": "Approved redirect URI patterns per app (HTTPS/app-scheme)." }, { "field": "TrustedHandlerPackages", "description": "Expected package names allowed to handle the redirect." }, { "field": "TokenFileRegex", "description": "Environment-specific token cache filenames/paths." }, { "field": "WorkProfileScope", "description": "Restrict to enterprise work profile to reduce personal-app noise." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9396ec3f-2189-44d1-9c88-53ee3603236c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0685#AN1794", "external_id": "AN1794" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-04T23:56:19.093Z", "name": "Analytic 1794", "description": "A defender observes an application generating application-layer communications that blend with normal traffic (HTTP(S), WebSocket, DNS, mail protocols) but show deviations from enterprise baselines for that bundle ID\u2014such as persistent background network sessions, regular low-volume polling intervals, anomalous SNI/Host destinations, uncommon DNS patterns, or uniform request/response sizing\u2014suggesting command and control over legitimate-looking protocols without relying on tool signatures.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "name": "NSM:Flow", "channel": "Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction" } ], "x_mitre_mutable_elements": [ { "field": "CadenceAnomalyThreshold", "description": "Defines acceptable deviation in protocol communication timing" }, { "field": "SessionPersistenceThreshold", "description": "Baseline deviation tolerance for long-lived sessions" }, { "field": "AppNetworkBehaviorBaseline", "description": "Expected mapping of application functionality to protocol usage" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--93a35555-f71e-4230-9f2a-529a539e8612", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0646#AN1726", "external_id": "AN1726" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-08T16:26:13.027Z", "name": "Analytic 1726", "description": "The defender correlates supervised-device application posture and background execution context with network-side evidence that an app rejects enterprise inspection or performs certificate/public-key-bound trust behavior during TLS establishment. Because direct app-level pin-validation observability is weaker on iOS, the analytic is anchored primarily to network control-plane effects: repeated TLS handshake rejection under enterprise inspection, destination-specific inspection bypass patterns, or persistent opaque app-to-endpoint encrypted sessions inconsistent with baseline app behavior. Additional confidence comes from managed app identity, background execution context, and supervised device policy state.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Supervised managed app with undeclared secure transport behavior or unexpected network role communicates with non-baselined destination over opaque TLS" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Managed app initiates or resumes network-capable execution while app_state=background or device_locked=true before opaque TLS session attempt" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Inspection", "channel": "TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between app lifecycle event and network-side inspection failure or opaque TLS session" }, { "field": "AllowedAppList", "description": "Managed apps expected to use certificate or public-key pinning for legitimate purposes" }, { "field": "AllowedDestinationList", "description": "Approved endpoints expected for legitimate pinned sessions" }, { "field": "ForegroundStateRequired", "description": "Whether the app is expected to perform network establishment only during user-driven workflows" }, { "field": "InspectionFailureThreshold", "description": "Number of repeated TLS-inspection failures needed before escalating confidence" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--944c3eaa-2809-4db3-ac7c-d1868e205793", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0714#AN1842", "external_id": "AN1842" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T20:30:29.495Z", "name": "Analytic 1842", "description": "Correlates (1) suppression or disablement of launcher-visible application components or effective reduction of user-facing launcher presence, (2) persistence of installed application state after icon suppression, and (3) continued runtime activity such as background execution, framework use, sensor access, or network communication after the icon becomes unavailable or is replaced by reduced-discoverability launcher behavior. The defender observes a causal chain where an app removes or reduces its launcher visibility while remaining operational and continuing meaningful activity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "installed application remains present while launcher-visible activity or component discoverability changes to hidden, disabled, or synthesized-settings-entry state prior to later runtime activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between icon suppression and later runtime activity" }, { "field": "AllowedAppList", "description": "Baseline of legitimate apps permitted to reduce launcher visibility, such as managed agents, work-profile utilities, or system applications" }, { "field": "ForegroundStateRequired", "description": "Whether post-suppression behavior is only suspicious when no recent foreground interaction is present" }, { "field": "SuppressionMode", "description": "Environment-specific handling of hidden, disabled, or synthesized launcher behavior depending on Android version and management posture" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound traffic volume used to distinguish meaningful hidden operation from benign background maintenance" }, { "field": "SensorAfterSuppressionThreshold", "description": "Threshold for sensor access frequency after launcher visibility is reduced" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0640#AN1715", "external_id": "AN1715" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-13T19:26:01.974Z", "name": "Analytic 1715", "description": "Correlates (1) changes to application visibility or user-facing presence such as launcher component disablement, icon suppression, or reduced discoverability, (2) continued application execution or privileged framework activity after that visibility reduction, and (3) follow-on behavior such as background network communication, sensor access, or persistence-related state transitions. The defender observes a causal chain where an application becomes less visible to the user while retaining or increasing operational activity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "managed app inventory or launcher-visible state changes show application remains installed but user-facing entry point or launcher component becomes disabled before later runtime activity" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between visibility suppression and later hidden execution or network activity" }, { "field": "AllowedAppList", "description": "Baseline of legitimate apps allowed to hide launcher presence or disable user-facing components" }, { "field": "ForegroundStateRequired", "description": "Whether post-hide activity is only suspicious when no foreground interaction occurs" }, { "field": "HiddenComponentThreshold", "description": "Threshold for number or type of launcher-visible components disabled before raising suspicion" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound traffic volume used to distinguish meaningful hidden operation from benign background telemetry" }, { "field": "SensorAfterHideThreshold", "description": "Threshold for sensor access frequency after visibility suppression" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--983ae9ea-a125-498a-862d-00d5bed2087a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0713#AN1840", "external_id": "AN1840" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-08T20:08:28.641Z", "name": "Analytic 1840", "description": "The defender correlates newly granted or recently exercised storage- or privilege-relevant access with burst reads of local files, local databases, or protected records from operating-system or external-storage locations, especially when the reads are inconsistent with app role, occur in background or locked-device context, or are followed by temporary data staging or network transmission. The analytic emphasizes Android-specific observables such as external storage access, app-private database reads where visible to the sensor, and repeated enumeration/read activity against local paths associated with media, tokens, caches, or exported application data.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Managed app granted or retaining storage-related or elevated access inconsistent with declared function prior to local data access activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "name": "MobileEDR:telemetry", "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between permission state, local data reads, optional staging, and outbound transfer" }, { "field": "AllowedAppList", "description": "Apps legitimately expected to read local files or databases such as backup, sync, file manager, security, or media management apps" }, { "field": "AllowedPathList", "description": "Expected local paths, storage roots, and database locations for legitimate app behavior" }, { "field": "ForegroundStateRequired", "description": "Whether sensitive local data access should happen only during active user-driven workflows" }, { "field": "BurstReadThreshold", "description": "Minimum number of file or record reads within a short interval required to indicate suspicious collection" }, { "field": "SensitivePathPatterns", "description": "Environment-specific list of high-value local paths such as external media roots, app export folders, token stores, or browser data locations" }, { "field": "UplinkBytesThreshold", "description": "Minimum upload size expected if collection is followed by exfiltration" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--98b0a8a6-881d-4f00-84c3-3f70d368067e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0712#AN1839", "external_id": "AN1839" }, { "source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1839", "description": "Application vetting services could detect applications trying to modify files in protected parts of the operating system.\nVerified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "Sensor Health", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--98dfbd23-232b-410a-bb71-25ba191ff746", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0636#AN1710", "external_id": "AN1710" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-18T19:46:01.796Z", "name": "Analytic 1710", "description": "Defender observes an app (package/UID) repeatedly querying device networking context APIs (Wi-Fi scan results/current SSID/BSSID, Bluetooth device discovery, or cellular tower lists) at a rate or timing inconsistent with the app\u2019s normal UX, often while backgrounded. Correlate API calls with permission usage (fine location, nearby devices/Bluetooth) and concurrent connectivity probes (DNS lookups/ARP/port reachability) to distinguish automated discovery from user-initiated settings checks. The detection is based on observed API execution + permission use + rate/sequence, not the specific API method name.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "android:appops", "channel": "ACCESS_FINE_LOCATION|NEARBY_DEVICES|BLUETOOTH_SCAN used in close proximity to network-context queries" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "wifiservice startScan / scanResults retrieved repeatedly or by unexpected package" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "telephony cell info enumeration bursts (neighboring/all cell info) by package" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Correlation window to link scan/enumeration API usage with subsequent probes (e.g., 30\u2013300s)." }, { "field": "MinScanCalls", "description": "Minimum number of scan/enumeration calls per window before flagging (e.g., \u22653 Wi-Fi scans / 5 min)." }, { "field": "MinUniqueTargets", "description": "For Bluetooth/cell, minimum unique devices/towers observed per window (helps avoid single-device noise)." }, { "field": "BackgroundOnly", "description": "Require app to be backgrounded during discovery to suppress legitimate UI-driven network selection." }, { "field": "AllowlistedPackages", "description": "Packages expected to scan (system settings, Wi-Fi managers, MDM, enterprise connectivity tools)." }, { "field": "LocationPermissionRequired", "description": "If true, require AppOps noteOp for fine location/nearby devices to reduce false positives." }, { "field": "LocalProbeCIDRs", "description": "CIDR ranges considered 'local discovery' targets (e.g., 192.168.0.0/16, 10.0.0.0/8)." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--99227275-37f5-400f-95ae-b5e17abfb0fd", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0681#AN1786", "external_id": "AN1786" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1786", "description": "The user can view permissions granted to an application in device settings. \nApplication vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--992c6fa4-689c-4ce1-883f-f48a8b1c5ccc", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0600#AN1646", "external_id": "AN1646" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T20:03:14.269Z", "name": "Analytic 1646", "description": "Defender correlates an app enumerating installed packages (PackageManager queries or shell 'pm list packages') with selective checks for high-value targets (banking/identity/security apps) and near-term persistence/egress of the inventory. Chain: capability to query apps \u2192 burst of enumeration calls or shell listing \u2192 optional foreground target detection \u2192 local inventory file \u2192 small POST to remote endpoint.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for . TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by " }, { "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "name": "android:logcat", "channel": "Command 'pm list packages' executed by app sandbox or child proc" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "CREATE/WRITE /data/data//(files|databases)/(app_inventory|pkg_list).*\\\\.(json|txt|db)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time from enumeration to persist/exfil (e.g., 10\u2013120s)." }, { "field": "MinEnumCount", "description": "Minimum count of package queries or listed rows to treat as inventory (e.g., \u226550)." }, { "field": "TargetAppWatchlist", "description": "List of sensitive app package prefixes (banking/IdP/AV/MDM) to raise severity." }, { "field": "PersistPathRegex", "description": "Regex for inventory artifacts in the app container." }, { "field": "ExfilDomainAllowlist", "description": "Known-good analytics/CDN endpoints to suppress FPs." }, { "field": "UserContext", "description": "Work Profile/Kiosk/Jamf/Intune policy context to scope benign inventory jobs." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9a574586-2729-4e60-8e60-5e07f200c3ff", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0629#AN1699", "external_id": "AN1699" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1699", "description": "Network traffic analysis may reveal processes communicating with malicious domains. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9aa716a2-0301-49cd-89c0-a441e5da0551", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0628#AN1698", "external_id": "AN1698" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-13T23:37:57.341Z", "name": "Analytic 1698", "description": "A managed or supervised app, app update, or enterprise-distributed build retains a legitimate-seeming identity but exhibits post-delivery behavior inconsistent with its expected role, prior version, or distribution context. Because iOS exposes less direct visibility into bundled dependency tampering or component-level supply-chain insertion, the defender prioritizes supervised app inventory, signing/provisioning trust posture, entitlement and behavior drift after update, new sensor/resource use, and new downstream network effects soon after install or version change.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "iOS:MDMLog", "channel": "Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Maximum span between app install/version change and first suspicious post-delivery behavior." }, { "field": "SupervisedOnly", "description": "Whether the analytic should only apply to supervised devices with high-confidence app inventory and managed distribution telemetry." }, { "field": "AllowedAppList", "description": "Approved apps expected to expand capabilities or contact new destinations because of legitimate releases." }, { "field": "AllowedVersionChangeWindow", "description": "Grace period after approved releases during which some behavior drift may be expected." }, { "field": "ForegroundStateRequired", "description": "Whether certain behaviors should only be treated as suspicious when they occur without expected visible user interaction." }, { "field": "RecentUserInteractionWindow", "description": "Threshold for distinguishing autonomous post-update behavior from expected user-driven first-run flows." }, { "field": "DestinationAllowList", "description": "Expected new domains, APIs, telemetry services, or CDNs associated with approved app updates." }, { "field": "CapabilityDriftThreshold", "description": "Threshold for how much entitlement or capability drift is tolerated for a known app." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9b036696-9e1e-42b9-9bfd-3ae785e7e10e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0705#AN1825", "external_id": "AN1825" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T18:28:31.071Z", "name": "Analytic 1825", "description": "Defender observes an app gaining input-observation capability (AccessibilityService enablement, default IME set, draw-over-apps permission), then creating an intercept surface (overlay window, accessibility event stream consumption or IME keystroke callbacks), followed by persistence (local keylog/clipboard dump) and/or small, frequent network egress. Chain: capability/permission \u2192 listener/overlay activation \u2192 bursty input read events \u2192 local write \u2192 near-term exfil.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "android:logcat", "channel": "Grant/activation of BIND_ACCESSIBILITY_SERVICE, BIND_INPUT_METHOD, SYSTEM_ALERT_WINDOW, POST_NOTIFICATIONS for " }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "android:logcat", "channel": "Default IME changed/active: imeId=, onStartInput/onFinishInput high frequency. TYPE_APPLICATION_OVERLAY|addView .* showing on top of package " }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "CREATE/WRITE paths like /data/data//files/(keys|inputs)/.*\\\\.db|\\\\.txt|\\\\.log" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time from input intercept to persist/exfil (e.g., 5\u201345s)." }, { "field": "MinInputEventBurst", "description": "Minimum count of input events within window to flag harvesting (e.g., \u22655)." }, { "field": "OverlayRequired", "description": "Require overlay creation if Accessibility not present (true/false)." }, { "field": "PersistPathRegex", "description": "Regex for keylog/clipboard dump destinations in app container." }, { "field": "ExfilDomainAllowlist", "description": "Known-good analytics/CDN endpoints to suppress FPs." }, { "field": "UserContext", "description": "Foreground/background/Work Profile or Kiosk policy to scope alerts." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9b4be141-9743-4113-a5f6-2d1a019b0eeb", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0648#AN1728", "external_id": "AN1728" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-13T19:15:22.491Z", "name": "Analytic 1728", "description": "Correlates (1) acquisition of foreground or background location permission sufficient for continuous geolocation evaluation, (2) repeated location checks or registration of geofence monitoring in background or low-interaction states, and (3) transition into sensitive behavior only after the device enters, exits, or remains within a qualifying geographic region. The defender observes a causal chain where an application suppresses malicious or higher-risk behavior until a location-derived condition is satisfied, then initiates follow-on actions such as network communication, background processing, or protected resource access.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "application remains dormant, low-activity, or background-resident across non-qualifying locations and transitions into active execution only after geographic condition is met" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "application granted ACCESS_FINE_LOCATION and, when required for background operation, ACCESS_BACKGROUND_LOCATION + capability state sufficient for persistent geolocation monitoring before later guarded activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between location evaluation, region transition, and guarded execution" }, { "field": "RegionMatchThreshold", "description": "Defines proximity, radius, or duration within region required before subsequent activity is considered geographically gated" }, { "field": "BackgroundLocationRequired", "description": "Whether suspiciousness increases when background location permission is present and activity occurs outside foreground use" }, { "field": "DormancyThreshold", "description": "Amount of low-activity or dormant runtime before location-qualified activation" }, { "field": "AllowedAppList", "description": "Baseline of legitimate apps expected to use geofencing or conditional location-based features" }, { "field": "ForegroundStateRequired", "description": "Whether execution should be considered higher fidelity only when it begins from background or without recent user interaction" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound traffic volume used to distinguish meaningful post-match activity from benign telemetry" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9bc8daed-e8ea-4c70-95bc-dcb2905b33d3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0662#AN1754", "external_id": "AN1754" }, { "source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-24T17:56:26.375Z", "name": "Analytic 1754", "description": "Defender observes anomalous signaling interactions involving subscriber identity or location resolution events associated with a device, including abnormal routing requests, unexpected location information exchanges, or signaling node inconsistencies indicative of SS7 abuse. (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "TelecomLogs:SS7Signaling", "channel": "Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities" }, { "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "name": "TelecomLogs:MobilityEvents", "channel": "Unexpected subscriber tracking or abnormal mobility/location resolution activity" } ], "x_mitre_mutable_elements": [ { "field": "LocationQueryAnomalyThreshold", "description": "Baseline deviation tolerance for location resolution events" }, { "field": "SignalingPathDeviationThreshold", "description": "Expected vs observed signaling routing paths" }, { "field": "SubscriberResolutionFrequency", "description": "Threshold for abnormal resolution or lookup behavior" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9c721bd4-75df-4381-bd70-29679aa78a4b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0680#AN1785", "external_id": "AN1785" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-02T16:21:09.206Z", "name": "Analytic 1785", "description": "Defender correlates app attempts to enumerate or infer security/management tooling (ManagedConfiguration/MDM presence, VPN/NEFilter config, AV/EDR app presence via LaunchServices or URL-scheme probing, private APIs) with local inventory persistence and egress. Chain: probe (MDM/NE/VPN/AV presence) \u2192 burst of LS/canOpenURL/ManagedConfiguration calls \u2192 inventory cache write \u2192 small POST.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "iOS:unifiedlog", "channel": "CREATE/WRITE of /Library/Caches/security_inventory.*\\\\.(json|plist|db)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time from probe burst to persist/exfil (e.g., 10\u2013120s)." }, { "field": "MinProbeCount", "description": "Minimum API/probe count to flag (e.g., \u226525/10s)." }, { "field": "SecurityTargetsList", "description": "Schemes/bundle IDs for AV/EDR/MDM/VPN vendors (regex/prefix)." }, { "field": "PersistPathRegex", "description": "Regex for inventory artifacts in app/extension containers." }, { "field": "ExfilDomainAllowlist", "description": "Known-good analytics/CDN allowlist." }, { "field": "JailbreakContext", "description": "Escalate severity if private APIs used on non-managed devices." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9cd8928d-a26d-42c0-8a23-0b10816c5d21", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0602#AN1651", "external_id": "AN1651" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1651", "description": "Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9e2b0e14-eabd-4eb7-93b0-da238e3786db", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0604#AN1653", "external_id": "AN1653" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-16T21:48:51.316Z", "name": "Analytic 1653", "description": "The defender observes a newly enrolled or recently activated device presenting abnormal integrity, hardware-backed attestation, or firmware/build relationships at the management plane, followed by privileged or system-context access to protected resources or framework paths, and then outbound communication inconsistent with setup state, lock state, or recent user interaction. The causal sequence is strongest when the device has not yet reached a normal trusted posture but still exhibits system-level capability use or network activity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Device enrollment or compliance event shows failed or degraded verified boot, hardware-backed attestation mismatch, patch/build/baseband inconsistency, or unexpected device property drift near first contact" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Protected resource use or privileged framework access occurs while device is locked, before normal setup completion, or from an app/service not in foreground and not on approved preload list" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between enrollment/posture anomaly, privileged capability use, and network egress." }, { "field": "AllowedOEMComponents", "description": "Approved system identities, preload packages, and OEM services differ by model and fleet." }, { "field": "AllowedDestinations", "description": "OEM update, activation, MDM, and enterprise service destinations vary by environment." }, { "field": "ForegroundStateRequired", "description": "Some protected resource access may be legitimate only when the app is foregrounded." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close resource access must be to user interaction to be considered expected." }, { "field": "EnrollmentGracePeriod", "description": "Initial setup/update behavior may generate benign network or configuration drift for a short period." }, { "field": "UplinkBytesThreshold", "description": "Size threshold for suspicious outbound transfer from a device in abnormal posture." }, { "field": "ApprovedImageBaseline", "description": "Known-good build fingerprint, patch, boot state, and baseband combinations vary by device fleet." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9ed67778-6277-4e12-aa3e-29f39a81e67a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0602#AN1650", "external_id": "AN1650" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-23T17:35:57.553Z", "name": "Analytic 1650", "description": "OLD: Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.\n\nNEW: A defender observes an Android application requesting for `android.permission.READ_CALL_LOG`, which may also be listed in the application's manifest file. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "Invocation of CallLogs.getLastOutgoingCall()" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Application granted or retaining the READ_CALL_LOG permission. " } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--9eeb7425-6979-4f77-aa7c-f9b0fe6b710e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0696#AN1811", "external_id": "AN1811" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1811", "description": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--a088cd64-106e-4fe2-a004-5796c574cfd0", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0669#AN1765", "external_id": "AN1765" }, { "source_name": "unit42_strat_aged_domain_det", "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.", "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/" }, { "source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1765", "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--a0bb0e33-c40f-46f5-b64a-07faa6946d83", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0672#AN1771", "external_id": "AN1771" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-17T20:24:52.509Z", "name": "Analytic 1771", "description": "The defender correlates communication to legitimate external web-service platforms with supervised managed-app context and device-state information showing that the traffic is inconsistent with the app's expected role, background-refresh profile, or user interaction timing. On iOS, the strongest reliable evidence is network telemetry tied to a managed app or device plus app state and supervision context, especially when traffic to social, collaboration, cloud-storage, or generic HTTPS platforms occurs shortly after background activity, while the device is locked, or without expected user-driven foreground execution. Direct low-level framework visibility is weaker than Android, so primary analytic confidence should be anchored to supervised app context plus network behavior rather than assumed host-level proof.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Managed app shows background activity, refresh, or lock-state-adjacent execution temporally aligned to web-service communication without expected foreground use or recent user interaction" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Managed app communicating with legitimate web-service infrastructure is newly installed, recently updated, outside expected managed-app set, or displays baseline drift in app role, release path, or business justification" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between app state changes and communication with legitimate web-service infrastructure." }, { "field": "SupervisedRequired", "description": "Strongest app context and managed state analytics depend on supervised iOS devices." }, { "field": "AllowedManagedApps", "description": "Approved managed apps and expected business use vary by organization and device profile." }, { "field": "AllowedServiceClasses", "description": "Some managed apps legitimately communicate with collaboration, cloud-storage, or messaging services." }, { "field": "AllowedDestinations", "description": "Expected Apple, enterprise, SaaS, CDN, and API destinations vary by app and tenant." }, { "field": "BackgroundRefreshBaseline", "description": "Normal background network behavior differs across mail, chat, navigation, and enterprise apps." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close traffic must be to user activity to be considered expected." }, { "field": "BeaconIntervalTolerance", "description": "Allowed periodicity for sync, push, and refresh traffic varies across app categories." }, { "field": "UplinkBytesThreshold", "description": "Threshold for suspicious transfer volume to legitimate web-service platforms." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0620#AN1682", "external_id": "AN1682" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-02T20:40:39.182Z", "name": "Analytic 1682", "description": "Defender observes an application establishing recurrent HTTPS or APNS-related communications exhibiting structured cadence, abnormal session persistence, or notification-triggered network bursts inconsistent with user interaction patterns or declared application behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline" } ], "x_mitre_mutable_elements": [ { "field": "NotificationWakeFrequencyThreshold", "description": "Baseline deviation tolerance for background wake events" }, { "field": "HTTPSCadenceAnomalyThreshold", "description": "Acceptable deviation in recurring web traffic timing" }, { "field": "SessionPersistenceThreshold", "description": "Threshold for abnormal TLS session duration" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--a180ad2e-e3fa-4cec-a1f0-8baf754d9543", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0624#AN1690", "external_id": "AN1690" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1690", "description": "Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--a3b1f9ea-184b-4429-94c0-d04c3b457b91", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0709#AN1833", "external_id": "AN1833" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1833", "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--a4242809-30bc-4c00-b247-b6cc11644a07", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0655#AN1741", "external_id": "AN1741" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T20:26:15.372Z", "name": "Analytic 1741", "description": "The defender correlates app-driven shell or command execution setup with subsequent process creation, command invocation, or script-driven follow-on behavior under the same app context, especially when command execution occurs from background state, without recent user interaction, or immediately after payload retrieval or local staging. The analytic prioritizes Android-observable control-plane effects: Java Runtime or similar command-execution method use, shell or sh-like process creation, command parameter visibility where available, and immediate file or network effects produced by the interpreter.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "MobileEDR:telemetry", "channel": "Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation" }, { "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "name": "MobileEDR:telemetry", "channel": "Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between command-launch method use, process creation, and follow-on file or network effects" }, { "field": "AllowedAppList", "description": "Apps legitimately expected to run shell-like or administrative commands, such as enterprise support tools, terminal apps, approved EMM agents, or developer tooling" }, { "field": "AllowedProcessPatterns", "description": "Expected command interpreters, process names, or parent-child execution chains for approved apps" }, { "field": "ForegroundStateRequired", "description": "Whether command execution should occur only during active user-driven workflows" }, { "field": "CommandArgumentRiskPatterns", "description": "Environment-specific list of suspicious command arguments, redirection usage, chaining operators, or shell-control syntax" }, { "field": "PostExecutionWriteThreshold", "description": "Minimum number or size of file artifacts created after interpreter execution to increase confidence" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound volume after command execution to treat network behavior as meaningful" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--a5c4230b-7064-4863-9a60-e0565042d452", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0603#AN1652", "external_id": "AN1652" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T20:30:31.921Z", "name": "Analytic 1652", "description": "Correlates (1) acquisition or presence of elevated control paths capable of forcing a lock state or blocking user interaction, (2) invocation of screen-locking or UI-denial behavior such as DevicePolicyManager lock operations, persistent overlays, accessibility-driven navigation interruption, or foreground lock-screen impersonation, and (3) immediate transition of the device into an unavailable or repeatedly re-locked state while the responsible application remains installed and active. The defender observes a causal chain where an application first gains the ability to control lock-related behavior, then forces or simulates lockout, and the device becomes unusable to the legitimate user.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "application enabled as device administrator, device owner, or profile owner before screen-lock or password-control activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "application granted accessibility service privileges capable of intercepting UI flow or sustaining user-interaction denial before lockout event" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between privileged control acquisition, lockout action, and resulting device lock state" }, { "field": "ProtectedRoleSet", "description": "Set of elevated roles that materially increase lockout capability, such as device admin, device owner, profile owner, or accessibility service" }, { "field": "LockActionSet", "description": "Framework actions treated as lockout-relevant, including lockNow, password-control changes, overlay persistence, and UI-denial actions" }, { "field": "AllowedAdminApps", "description": "Baseline of legitimate enterprise or security apps expected to invoke lock-related controls" }, { "field": "RelockThreshold", "description": "Number of repeated lock or lock-like transitions in a short interval required before escalation" }, { "field": "UplinkBytesThreshold", "description": "Outbound traffic threshold confirming continued meaningful activity after lockout" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--a69604d3-2909-46bf-afd3-39b47ac5e5fd", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0599#AN1645", "external_id": "AN1645" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T16:57:33.679Z", "name": "Analytic 1645", "description": "The defender correlates SMS-relevant permission state or default SMS handler role with subsequent unauthorized SMS send, receive interception, message database modification, deletion, or concealment behavior by an application outside expected messaging workflows. The analytic prioritizes Android-observable control-plane effects: SEND_SMS or RECEIVE_SMS capability, default SMS handler change or exercise of SMS_DELIVER semantics, direct interaction with the SMS content provider or messaging database, and SMS activity occurring from background or locked-device state without recent user interaction.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Managed app granted SEND_SMS or RECEIVE_SMS permission, or app role/policy indicates SMS-capable behavior inconsistent with approved enterprise function before SMS control activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Default SMS handler changes to non-baselined application or managed app unexpectedly becomes or remains device default SMS app during SMS control phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "name": "MobileEDR:telemetry", "channel": "Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between permission or role change, SMS control activity, message-store modification, and any follow-on network communication" }, { "field": "AllowedAppList", "description": "Apps legitimately expected to send or manage SMS, such as default messaging apps, carrier tools, device migration apps, or approved enterprise communications apps" }, { "field": "AllowedDefaultSMSHandlers", "description": "Approved packages allowed to become the default SMS handler on managed devices" }, { "field": "AllowedDestinationList", "description": "Approved network destinations associated with legitimate messaging synchronization or carrier workflows" }, { "field": "ForegroundStateRequired", "description": "Whether SMS send or message modification should occur only during active user-driven workflows" }, { "field": "MessageModificationThreshold", "description": "Number of insert, update, or delete operations against SMS store within a short interval required before alerting" }, { "field": "SMSSendRateThreshold", "description": "Maximum expected SMS send frequency for legitimate app behavior" }, { "field": "HighRiskNumberPatterns", "description": "Environment-specific list of premium-rate, adversary-known, or non-business SMS destination patterns" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--a69cefd7-02e8-4840-a26e-2ea0b6a95812", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0691#AN1802", "external_id": "AN1802" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-10T15:33:30.111Z", "name": "Analytic 1802", "description": "Defender correlates a causal chain where a device transitions into USB debugging or file transfer mode after a physical connection event, followed by application installation, file replication, or execution originating from the USB interface rather than the application store ecosystem.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "android:MDMLog", "channel": "device USB mode change (charging to file transfer / debugging / accessory)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "ADB_DEBUGGING_ENABLED" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "MobileEDR:telemetry", "channel": "application installed from adb, sideload, or unknown USB source" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "large file write originating from /mnt/usb or external mounted storage" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between USB connection state change and application installation." }, { "field": "AllowedDeveloperDevices", "description": "List of devices legitimately allowed to use ADB debugging." }, { "field": "AllowedSideloadApps", "description": "Approved enterprise apps allowed to install outside Google Play." }, { "field": "FileReplicationThreshold", "description": "Volume of file writes from mounted external storage considered suspicious." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--a8133527-5402-49e0-a9f1-14ee4fb2dd3f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0691#AN1803", "external_id": "AN1803" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-10T23:16:21.386Z", "name": "Analytic 1803", "description": "Defender correlates a chain where a device establishes a new trusted USB host pairing or enters developer/debug configuration state, followed by device data extraction activity, configuration manipulation, or abnormal application behavior shortly after the pairing event.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "iOS:MDMLog", "channel": "Developer Mode enabled, supervised-device restriction changed, or trust-related protected device posture changed" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "iOS:MDMLog", "channel": "Trusted computer / host relationship established or relevant device trust setting changed" }, { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "iOS:MDMLog", "channel": "Device risk, compliance, or security posture changes after trusted host pairing or developer-state transition" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access" } ], "x_mitre_mutable_elements": [ { "field": "PairingEventWindow", "description": "Time window between trusted host pairing and suspicious device behavior." }, { "field": "AllowedTrustedHosts", "description": "Enterprise-authorized computers permitted to pair with managed devices." }, { "field": "DeveloperModePolicy", "description": "Whether developer mode is permitted in the organization." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--ab85ff40-2b75-477a-b5ec-f35f2fcde728", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0672#AN1770", "external_id": "AN1770" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-17T19:52:38.107Z", "name": "Analytic 1770", "description": "The defender correlates outbound communication from an application or service to legitimate external web platforms with mobile runtime context showing that the communication is inconsistent with the app's approved role, expected destinations, user interaction pattern, or device state. The strongest Android evidence is a managed or installed app communicating with cloud storage, social, messaging, code-hosting, or generic HTTPS web-service infrastructure shortly after background activation, protected-resource use, or local staging activity, especially when the device is locked, user interaction is absent, or the app's historical network baseline does not include that service class.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "App communicating with external web service is backgrounded, persistent, recently awakened, or active while device is locked or without recent user interaction in a way inconsistent with expected app behavior" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "App communicating with legitimate web-service infrastructure is unmanaged, newly installed, recently updated, outside approved app list, or shows baseline drift in role, installer source, or expected capability profile" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window linking app state, resource use, staging activity, and web-service communication." }, { "field": "AllowedAppList", "description": "Approved app identities and expected business roles vary by fleet and device group." }, { "field": "AllowedServiceClasses", "description": "Some organizations legitimately use cloud storage, messaging, or collaboration services from mobile apps." }, { "field": "AllowedDestinations", "description": "Expected domains, SNI values, CDNs, API endpoints, and redirectors vary by application and tenant." }, { "field": "ForegroundStateRequired", "description": "Certain apps may legitimately communicate only in foreground, while others support background sync." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close traffic must be to user activity to be considered expected." }, { "field": "BeaconIntervalTolerance", "description": "Recurring connection periodicity thresholds vary with push, sync, and collaboration workloads." }, { "field": "UplinkBytesThreshold", "description": "Data volume threshold for suspicious transfer to legitimate web-service infrastructure." }, { "field": "ExpectedBackgroundBehavior", "description": "Normal background communication differs across app categories such as mail, chat, navigation, and security tools." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--abfa1de9-fcf5-44da-a910-f83273b60813", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0674#AN1775", "external_id": "AN1775" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1775", "description": "Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. \nOn both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--acc1bb20-bd46-4228-abba-f4befe82e926", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0617#AN1676", "external_id": "AN1676" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-17T20:56:49.928Z", "name": "Analytic 1676", "description": "The defender correlates a supervised-device or managed-app request to a legitimate web platform with a subsequent connection to a newly derived destination that is not part of the expected service interaction. Because iOS has weaker app-level telemetry, the strongest signal is a network-level sequence where a request to a known public platform is immediately followed by a connection to a different domain or IP, particularly when the device is locked, no recent user interaction occurred, and the bundle is not expected to interact with such downstream infrastructure.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "DeviceLockState=locked or BackgroundRefresh active during resolver\u2192pivot sequence" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before resolver request and pivot connection sequence" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Bundle performing resolver\u2192pivot sequence not present in approved managed-app baseline or lacks expected service relationship" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Maximum allowed time between resolver retrieval and pivot connection." }, { "field": "NewDomainThreshold", "description": "Defines rarity or novelty of domain for the device or bundle." }, { "field": "AllowedServiceToDestinationMapping", "description": "Expected relationships between apps and external services." }, { "field": "BackgroundRefreshBaseline", "description": "Expected background network behavior for managed apps." }, { "field": "UserInteractionThreshold", "description": "Defines acceptable timing between user activity and network requests." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b1674dca-753f-45d9-b0de-4c68e459f046", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0686#AN1796", "external_id": "AN1796" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1796", "description": "Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b2120e89-a453-4575-8458-7700ea59f85a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0662#AN1753", "external_id": "AN1753" }, { "source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-24T17:54:57.531Z", "name": "Analytic 1753", "description": "Defender observes anomalous signaling network queries targeting subscriber information associated with a device, including unexpected routing requests, location information exchanges, or node-origin inconsistencies indicative of SS7 signaling abuse. (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "TelecomLogs:SS7Signaling", "channel": "Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns" }, { "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "name": "TelecomLogs:MobilityEvents", "channel": "Unexpected location resolution events or abnormal subscriber tracking requests" } ], "x_mitre_mutable_elements": [ { "field": "NodeIdentityDeviationThreshold", "description": "Defines acceptable variance for signaling node identifiers" }, { "field": "SubscriberQueryFrequencyThreshold", "description": "Baseline-dependent threshold for excessive subscriber queries" }, { "field": "GeographicRoutingDeviation", "description": "Expected signaling path vs observed routing anomalies" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b2ef244c-b230-4c2b-b0a6-070e5c376f32", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0664#AN1757", "external_id": "AN1757" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1757", "description": "Mobile security products can potentially detect jailbroken devices.\nApplication vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "Sensor Health", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b6618b3a-370c-44af-86db-d4640799ed6e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0710#AN1835", "external_id": "AN1835" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1835", "description": "Mobile security products can use attestation to detect compromised devices.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "Sensor Health", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b6d679b6-0777-4541-874c-d81f37d8fb07", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0715#AN1843", "external_id": "AN1843" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1843", "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b6d9d5a1-5966-4888-b4ce-30b125043c4d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0618#AN1678", "external_id": "AN1678" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T17:39:29.213Z", "name": "Analytic 1678", "description": "From the defender\u2019s view: a sandboxed app retrieves code-like content (JS/Mach-O/bundles), writes it to container tmp/Caches, performs memory permission changes (RW\u2192RX/RWX) or directly loads via dyld/dlopen from writable paths, sometimes preceded by 3rd-party hotpatch frameworks (e.g., JSPatch-like behavior) or script engine evaluation. The analytic correlates Network Content \u2192 File Creation \u2192 OS API Execution (memory permission change) \u2192 Module Load (dyld/dlopen) and/or Process Access (codesign validation touches), with optional scripting engine events.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "iOS:unifiedlog", "channel": "Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "iOS:unifiedlog", "channel": "Create/write in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/ for .js/.bundle/.dylib/.zip with elevated entropy" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files" }, { "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "name": "iOS:unifiedlog", "channel": "dlopen/image load from app-writable path (tmp, Caches) outside bundled resources" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max correlation window between download \u2192 write \u2192 load (e.g., 15\u201360s)." }, { "field": "ContentTypeList", "description": "MIME list treated as code-like (octet-stream, zip, javascript, x-mach-o)." }, { "field": "WritablePathRegex", "description": "Regex for app container tmp/Caches writable paths." }, { "field": "PayloadEntropyThreshold", "description": "Entropy cutoff to flag code blobs (e.g., \u2265 7.3)." }, { "field": "KnownJITAllowlist", "description": "Bundles that legitimately do JIT/script eval to reduce RWX noise." }, { "field": "WritableLoadPathRegex", "description": "Regex for loads from writable paths only (exclude app bundle)." }, { "field": "UnsignedExecPolicy", "description": "Handle enterprise/dev-provisioned unsigned execution contexts." }, { "field": "UserContext", "description": "Foreground/background or Work Profile state to filter noise." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b6ef77d6-cc8b-478c-b7f8-7767bbb58960", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0706#AN1827", "external_id": "AN1827" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-19T17:21:51.812Z", "name": "Analytic 1827", "description": "The defender correlates app-attributed outbound sessions where protocol indicators such as TLS handshake, HTTP method and header patterns, DNS semantics, or other application-layer characteristics are observed over a destination port outside the approved baseline for that protocol and app role. The strongest Android evidence is repeated or persistent app-attributed traffic using HTTPS-, HTTP-, DNS-, WebSocket-, or other recognizable application behavior over uncommon destination ports, especially when the app is backgrounded, while the device is locked, without recent user interaction, or when the app is unmanaged or not approved for that protocol-to-port pairing.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "AppState=background when non-standard-port session began and no foreground transition occurred during repeated or persistent connection sequence" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "DeviceLockState=locked during outbound session using non-standard protocol-to-port pairing" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port" } ], "x_mitre_mutable_elements": [ { "field": "AllowedProtocolPortMappings", "description": "Approved protocol-to-port pairings vary by app, business workflow, proxy architecture, and enterprise policy." }, { "field": "AllowedAppList", "description": "Approved app identities vary by organization, role, and device group." }, { "field": "AllowedServiceClasses", "description": "Expected external service classes differ across app categories and enterprise mobile workflows." }, { "field": "TimeWindow", "description": "Correlation window linking non-standard-port sessions with lifecycle, framework, or local state changes." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close a session must be to user activity to be considered expected." }, { "field": "BeaconIntervalTolerance", "description": "Allowed recurrence interval for benign polling, sync, or persistent sessions differs by app type." }, { "field": "ForegroundStateRequired", "description": "Some apps should only initiate certain outbound communications while foregrounded." }, { "field": "EnterpriseExceptionList", "description": "Known developer tools, enterprise proxies, VPNs, relays, and security products may legitimately use uncommon ports." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b755f519-cc0c-44a4-865f-fa9ead44590f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0621#AN1684", "external_id": "AN1684" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T18:00:59.178Z", "name": "Analytic 1684", "description": "Defender correlates attempts to access other apps\u2019 data via shared containers (App Groups), Photos/Files providers, pasteboard abuse, or jailbroken cross-container reads, followed by aggregation/packaging and optional exfil/share. Sequence: capability/consent (TCC/entitlements) \u2192 target discovery (AppGroup/Photos/Files enumeration, URL schemes) \u2192 bulk read from shared/foreign container or provider \u2192 package/encode \u2192 exfil/share.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "name": "iOS:unifiedlog", "channel": "Privacy (TCC) prompts/grants for Photos/Files or access changes indicating new visibility into user/app data" }, { "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "name": "iOS:unifiedlog", "channel": "READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "iOS:unifiedlog", "channel": "Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "iOS:unifiedlog", "channel": "CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Correlation window for consent/discovery \u2192 read \u2192 package \u2192 exfil (e.g., 20\u2013180s)." }, { "field": "AppGroupAllowlist", "description": "Allowed App Group IDs for each bundle to reduce FPs." }, { "field": "ProviderScope", "description": "Files/Photos provider collections permitted for the app." }, { "field": "MinBytesRead", "description": "Lower bound on cumulative read size to signal collection vs casual access." }, { "field": "ArchiveExtensions", "description": "Packaging extensions to track when aggregating data." }, { "field": "ExfilDomainAllowlist", "description": "Known-good enterprise domains/CDNs for uploads." }, { "field": "UserContext", "description": "Foreground/background and Work Profile state to scope analytics." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0713#AN1841", "external_id": "AN1841" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-08T20:07:42.093Z", "name": "Analytic 1841", "description": "The defender correlates supervised-device app posture and lifecycle context with repeated local file or local-database access effects, especially when a managed app reads browser, messaging, keychain-adjacent, or application-container data outside its expected role and then stages or uploads the result. Because direct low-level local system access visibility is weaker on iOS, the primary analytic is effect-based: managed app identity, file/database access where visible to the mobile sensor, background execution context, and near-term outbound communication.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Supervised managed app without expected local export, sync, or forensic role accesses or stages local records inconsistent with policy baseline" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission" }, { "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "name": "MobileEDR:telemetry", "channel": "Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between managed app posture, local access activity, optional staging, and upload" }, { "field": "AllowedAppList", "description": "Managed apps expected to access local records such as enterprise sync, backup, or approved investigation tools" }, { "field": "AllowedContainerPatterns", "description": "Expected app-container or local artifact locations for legitimate workflows" }, { "field": "ForegroundStateRequired", "description": "Whether local record access should happen only during active user interaction" }, { "field": "BurstReadThreshold", "description": "Minimum number of local file or record reads in a short interval required for alerting" }, { "field": "SensitiveArtifactPatterns", "description": "Environment-specific list of high-value browser, messaging, token, or local record artifacts" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound volume consistent with recent local data collection" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0721#AN1853", "external_id": "AN1853" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-17T15:44:07.335Z", "name": "Analytic 1853", "description": "The defender correlates the arrival, installation, or update of a trusted or expected application with a subsequent deviation in package trust characteristics, permission posture, protected-resource use, framework behavior, or network communication that is inconsistent with the known-good role of that app. The strongest Android evidence is a managed or trusted package whose first-run or post-update behavior introduces unexpected special access, sensitive sensor use, unusual background execution, privileged framework interaction, or outbound communication to destinations outside the app's baseline shortly after installation or update.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Managed or trusted app is newly installed or updated and presents changed package identity, signing relationship, version lineage, installer source, or permission posture inconsistent with approved baseline" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Recently installed or updated trusted app begins background execution, persistent service activity, overlay-like behavior, or lock-state activity inconsistent with its historical baseline or expected first-run sequence" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between install/update and subsequent runtime/network effects." }, { "field": "AllowedAppList", "description": "Approved managed or trusted applications vary by organization and device group." }, { "field": "AllowedInstallerSources", "description": "Permitted installer source or app delivery mechanism differs by fleet and policy." }, { "field": "AllowedSigningBaseline", "description": "Expected signing lineage, certificate relationship, or integrity metadata vary by package." }, { "field": "ForegroundStateRequired", "description": "Some protected-resource use is legitimate only when an app is foregrounded." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close behavior must be to user interaction to be considered expected." }, { "field": "AllowedDestinations", "description": "Expected app destinations, CDNs, APIs, and service providers vary by app and tenant." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b972ebf0-16d1-4bc2-980b-e8cb0947affa", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0657#AN1745", "external_id": "AN1745" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1745", "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--bfa12b75-13ab-409f-8fe9-a93c8bcac466", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0670#AN1767", "external_id": "AN1767" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-08T16:39:38.897Z", "name": "Analytic 1767", "description": "The defender correlates recent access to locally collected or protected data with subsequent compression, packaging, or encryption behavior inside the same app context, followed by creation of archive-like or high-entropy output and optional near-term network transmission. The analytic prioritizes Android runtime and storage effects: application data access or sensor-derived collection, compression/encryption framework use, archive/blob creation in app-accessible storage, and background or device-locked execution inconsistent with the app\u2019s declared function.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Managed application with no declared backup, sync, export, or media-editing role performs bulk local packaging or encrypted archive generation" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between data access, package creation, encryption, and optional network upload" }, { "field": "AllowedAppList", "description": "Apps legitimately expected to package local data such as backup, cloud sync, file manager, or media editing apps" }, { "field": "AllowedPathList", "description": "Expected storage paths for legitimate archives, exports, or caches" }, { "field": "ForegroundStateRequired", "description": "Whether packaging/export behavior should occur only during active user-driven workflows" }, { "field": "BurstReadThreshold", "description": "Number of files or records read in a short interval before archive creation" }, { "field": "ArchiveSizeThreshold", "description": "Minimum output size for suspicious packaged blob or archive" }, { "field": "EntropyThreshold", "description": "Threshold for identifying encrypted or heavily compressed output" }, { "field": "UplinkBytesThreshold", "description": "Minimum upload size consistent with recent archive creation" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--bfbe9c72-f373-4d03-a08a-1448f31dd92f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0639#AN1713", "external_id": "AN1713" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-11T16:29:42.519Z", "name": "Analytic 1713", "description": "Defender correlates an Android-specific causal chain where device connectivity degrades or oscillates across one or more radios, applications lose or repeatedly reattempt network access, and the radio or network failure pattern is inconsistent with ordinary mobility, coverage transition, or user-initiated airplane mode behavior. The defender correlates radio state, connectivity framework behavior, application state, network session failures, and location/network-provider degradation to distinguish network denial effects from routine weak-signal conditions.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "android:MDMLog", "channel": "No user-initiated airplane mode, radio disablement, or managed network setting change occurred during repeated connectivity degradation" }, { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "android:MDMLog", "channel": "Managed Wi-Fi, VPN, cellular, or location-related policy state remains unchanged while network capability degrades" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "MobileEDR:telemetry", "channel": "App with network-, telephony-, Wi-Fi-, or location-adjacent capability is impacted by abrupt repeated service loss while permissions remain unchanged" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Maximum span for correlating connectivity degradation, application retry behavior, and network-session failure into a single denial event." }, { "field": "ExpectedMobilityPopulation", "description": "Users or device populations expected to move through low-coverage zones or transit environments that naturally cause network oscillation." }, { "field": "AllowedAppList", "description": "Apps expected to generate frequent retry behavior or maintain persistent sessions under ordinary weak-signal conditions." }, { "field": "ForegroundStateRequired", "description": "Whether impacted applications are expected to be actively visible to the user for the analytic to carry high confidence." }, { "field": "RecentUserInteractionWindow", "description": "Time threshold for determining whether connectivity degradation occurred during active device use versus idle background operation." }, { "field": "FailureBurstThreshold", "description": "Threshold for repeated disconnects, resets, DNS failures, or transport failures within the correlation window." }, { "field": "LocationProviderDependencyList", "description": "Apps or services expected to rely on GPS or network-based location and therefore likely to exhibit secondary degradation during jamming." }, { "field": "ExpectedCoverageZones", "description": "Known sites or geographies with weak legitimate coverage that should be baseline-adjusted." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--bff6f104-006e-48e5-ac3f-4633bb3abac5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0600#AN1647", "external_id": "AN1647" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T20:27:08.190Z", "name": "Analytic 1647", "description": "Defender correlates attempts to inventory installed apps via LaunchServices/URL-scheme probing or private APIs (e.g., LSApplicationWorkspace) with checks for high-value targets and quick persistence/egress. Chain: capability/attempt (URL scheme spray or LSWorkspace calls) \u2192 large scheme/app probe set \u2192 optional webview hits to brand domains \u2192 local inventory cache \u2192 small egress.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "iOS:unifiedlog", "channel": "Repeated canOpenURL checks across diverse schemes (\u2265N within short window)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "iOS:unifiedlog", "channel": "CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\\\.(json|plist|db)" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time from probe burst to persist/exfil (e.g., 10\u2013120s)." }, { "field": "MinProbeCount", "description": "Minimum count of scheme/app probes to treat as inventory (e.g., \u226540)." }, { "field": "TargetBundleWatchlist", "description": "Bundle IDs/schemes of sensitive targets (banking/IdP/AV/MDM)." }, { "field": "PersistPathRegex", "description": "Regex for inventory artifacts in container." }, { "field": "ExfilDomainAllowlist", "description": "Allowlist of enterprise analytics/CDN to reduce FPs." }, { "field": "JailbreakContext", "description": "Flag to escalate if private APIs appear on non-managed devices." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0700#AN1817", "external_id": "AN1817" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-18T16:25:11.215Z", "name": "Analytic 1817", "description": "The defender correlates repeated retrieval and outbound submission activity from a supervised device or managed iOS app to the same legitimate public web-service class where the two-way exchange does not fit the bundle's approved role or expected background-refresh model. The strongest iOS evidence is managed-app or device-attributed communication to collaboration, storage, messaging, social, or generic HTTPS platforms where inbound content fetches are followed by outbound writes, uploads, updates, or message submissions within a short window, especially when occurring during background refresh, while the device is locked, or without recent user interaction. Because direct local runtime visibility is weaker than Android, the primary analytic is anchored on network directionality plus supervised managed-app and device-state context.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "BackgroundRefresh or background activity was active when retrieve-then-write exchange with public web-service domain occurred" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Bundle performing bidirectional exchange was not present in approved managed-app baseline or was not permitted to use detected public web-service class for read/write operations" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between retrieval and outbound write over the same public web-service class." }, { "field": "SupervisedRequired", "description": "Strongest app-governance and bundle-baseline analytics depend on supervised iOS devices." }, { "field": "AllowedManagedApps", "description": "Approved managed bundle identities vary by organization and device profile." }, { "field": "AllowedServiceClasses", "description": "Some managed apps legitimately perform bidirectional exchanges with collaboration, storage, or messaging services." }, { "field": "AllowedReadWriteMappings", "description": "Defines which bundles are expected to both retrieve and submit content to a given public service class." }, { "field": "BackgroundRefreshBaseline", "description": "Expected background read/write network behavior differs across managed app categories." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close the bidirectional exchange must be to user activity to be considered expected." }, { "field": "BeaconIntervalTolerance", "description": "Allowed recurrence interval for repeated bidirectional exchanges varies by bundle type." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--c1cdc6fb-9b7f-4076-9634-c939ddaef2bf", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0628#AN1697", "external_id": "AN1697" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-12T17:37:17.976Z", "name": "Analytic 1697", "description": "An app or app update arrives through an expected delivery path or presents as a known legitimate package identity, but its post-install or post-update behavior materially changes in ways inconsistent with its historical role. The defender correlates package identity and install/update context, newly expanded capability state, changed runtime framework use, new sensor or storage behaviors, and new network destinations shortly after installation or update to identify likely supply-chain compromise rather than ordinary malicious sideloading or unrelated post-compromise activity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "android:MDMLog", "channel": "Managed app catalog, enterprise update policy, or trusted distribution posture remains unchanged while a known app exhibits materially different post-update behavior" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Known application or newly updated version declares, gains, or activates expanded storage, sensor, communications, accessibility, or device-management capability inconsistent with prior baseline or app role" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Updated or newly delivered application becomes active, launches background services, or executes shortly after install/update with minimal user interaction inconsistent with baseline" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Maximum span between app install/update event and first suspicious post-delivery behavior." }, { "field": "AllowedAppList", "description": "Approved apps expected to change permissions, add services, or contact new destinations because of legitimate feature releases." }, { "field": "AllowedVersionChangeWindow", "description": "Grace period after a documented app release during which some behavior drift may be expected." }, { "field": "ForegroundStateRequired", "description": "Whether certain behaviors should only be considered suspicious when they occur without visible user interaction." }, { "field": "RecentUserInteractionWindow", "description": "Threshold for determining whether immediate post-update activity was user-driven or autonomous." }, { "field": "DestinationAllowList", "description": "Expected new destinations, APIs, CDNs, or telemetry endpoints associated with approved app updates." }, { "field": "CapabilityDriftThreshold", "description": "Threshold for how many newly added or newly exercised permissions/capabilities are considered abnormal for a known app." }, { "field": "BehaviorBaselinePopulation", "description": "Population of prior devices, versions, or user cohorts used to baseline normal app behavior." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0678#AN1781", "external_id": "AN1781" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-12T17:25:00.733Z", "name": "Analytic 1781", "description": "An application with access to broad file scopes or sensitive storage areas becomes active, performs abnormal burst file reads and writes across many user or shared-storage locations, transforms file content or extensions at scale in a short window, and causes rapid file inaccessibility, rewrite, or replacement inconsistent with normal sync, backup, media processing, or document-editing behavior. The defender correlates capability state, app lifecycle, framework use, bulk file-write effects, and optional network communications to distinguish encrypt-for-impact behavior from benign bulk file operations.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "android:MDMLog", "channel": "Managed storage, backup, enterprise file access, or device policy state remains unchanged while bulk destructive file transformation occurs" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "MobileEDR:telemetry", "channel": "Application holds or is granted broad storage, document-provider, media, or file-management capability inconsistent with its expected role before or during bulk file transformation" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Application runs in foreground, service, or sustained background-active state while concentrated file transformation occurs with weak or no recent user interaction" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Maximum correlation span between app activation, framework use, and burst file transformation." }, { "field": "AllowedAppList", "description": "Approved apps allowed to perform legitimate broad file operations such as backup, sync, AV scanning, enterprise migration, media editing, or document management." }, { "field": "ForegroundStateRequired", "description": "Whether a benign bulk file operation is expected to occur only while the app is visible and actively used." }, { "field": "RecentUserInteractionWindow", "description": "Threshold for determining whether large-scale file transformation was user-driven versus unattended." }, { "field": "FileWriteBurstThreshold", "description": "Threshold for number of file create, overwrite, rename, or replace actions within the correlation window." }, { "field": "DistinctDirectoryThreshold", "description": "Threshold for number of distinct folders or content roots touched during the file-impact burst." }, { "field": "ExtensionChangeThreshold", "description": "Threshold for suspicious file extension changes or replacement-file patterns indicative of mass transformation." }, { "field": "BytesWrittenThreshold", "description": "Threshold for cumulative bytes written during the impact window." }, { "field": "ProtectedPathAllowList", "description": "Known paths, document roots, or work-profile storage locations where benign enterprise migration or sync tooling may rewrite many files." }, { "field": "DestinationAllowList", "description": "Expected network destinations contacted by legitimate storage, sync, backup, or MDM remediation apps." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0613#AN1668", "external_id": "AN1668" }, { "source_name": "unit42_strat_aged_domain_det", "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.", "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/" }, { "source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1668", "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--c8eb9196-3134-4954-9331-838556db9aa1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0721#AN1854", "external_id": "AN1854" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-17T17:55:46.302Z", "name": "Analytic 1854", "description": "Anchor on supervised managed-app install/update or version drift, then correlate with unexpected background activity, managed-app state changes, or egress inconsistent with the app's historical and policy baseline.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Supervised managed app is newly installed or updated and presents unexpected version transition, inventory drift, managed-state change, or app attribute mismatch against approved procurement and release baseline" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Recently installed or updated managed app begins background activity, persistent refresh, or lock-state-adjacent activity inconsistent with expected first-run behavior, user interaction timing, or historical baseline" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between app install/update and subsequent lifecycle or network anomalies." }, { "field": "SupervisedRequired", "description": "Strongest app inventory and managed state analytics depend on supervised iOS devices." }, { "field": "AllowedManagedApps", "description": "Approved managed app set varies by organization, business unit, and device profile." }, { "field": "ExpectedVersionTransitionPolicy", "description": "Allowed upgrade paths, release rings, and phased rollout patterns vary by environment." }, { "field": "AllowedDestinations", "description": "Expected app destinations, enterprise backends, Apple services, and CDNs differ by app." }, { "field": "BackgroundRefreshBaseline", "description": "Legitimate background activity differs by app category and policy." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close runtime/network activity must be to user action to be considered expected." }, { "field": "UplinkBytesThreshold", "description": "Threshold for suspicious post-update outbound transfer volume." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--c956f269-d282-4c68-afc6-ca68d8532ab6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0625#AN1692", "external_id": "AN1692" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1692", "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--cb4c4b76-3f6d-4387-ab20-74b461bbb211", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0634#AN1707", "external_id": "AN1707" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1707", "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--cb78ff0f-6f8a-41a8-a199-4660a0addec9", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0631#AN1702", "external_id": "AN1702" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T17:33:41.747Z", "name": "Analytic 1702", "description": "The defender correlates proxy-capable network setup or socket-handling behavior with subsequent bidirectional traffic relaying through the same device and app context, especially when inbound client sessions are followed by outbound connections to unrelated remote destinations or when the device sustains multiplexed traffic patterns inconsistent with normal mobile app workflows. The analytic prioritizes Android-observable effects: proxy or raw-socket setup, app background execution, inbound-to-outbound traffic bridging, and sustained relayed flows to multiple destinations without recent user interaction.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Managed app without approved VPN, enterprise tunneling, browser, or remote-access role exhibits proxy-like traffic handling inconsistent with policy baseline" }, { "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "name": "NSM:Flow", "channel": "App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between proxy/socket setup and subsequent inbound-outbound traffic bridging" }, { "field": "AllowedAppList", "description": "Apps legitimately expected to proxy or tunnel traffic, such as enterprise VPN, remote access, security testing, or managed browser apps" }, { "field": "AllowedDestinationList", "description": "Approved remote destinations or service categories for legitimate tunneling applications" }, { "field": "ForegroundStateRequired", "description": "Whether proxy-capable or relayed traffic should occur only during active user-driven workflows" }, { "field": "RelaySessionThreshold", "description": "Minimum number of correlated inbound and outbound session pairs required to indicate relay behavior" }, { "field": "ByteSymmetryTolerance", "description": "Allowed variance between inbound and outbound byte volumes when identifying proxied traffic" }, { "field": "ConcurrentDestinationThreshold", "description": "Maximum expected number of simultaneous unrelated remote destinations for a legitimate app" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound volume required for relay behavior to be considered meaningful" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--cbb3d486-b7a3-44f0-a7c7-e2fbf668f6fa", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0635#AN1709", "external_id": "AN1709" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1709", "description": "Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS.\nApplication vetting services may look for `MANAGE_ACCOUNTS` in an Android application\u2019s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "Process", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0626#AN1694", "external_id": "AN1694" }, { "source_name": "SecureAuth_iOSOAuth_2025", "description": "SecureAuth. (2025). Build an iOS App Using OAuth 2.0 and PKCE. Retrieved March 2, 2026.", "url": "https://docs.secureauth.com/ciam/en/build-an-ios-app-using-oauth-2-0-and-pkce.html" }, { "source_name": "IETF-OAuthNativeApps", "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", "url": "https://tools.ietf.org/html/rfc8252" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-02T20:11:59.312Z", "name": "Analytic 1694", "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. \n\nDevelopers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: SecureAuth_iOSOAuth_2025)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "User Interface", "channel": "None" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--ccb42e9d-557f-4dc5-b313-75fb6b212821", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0608#AN1660", "external_id": "AN1660" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1660", "description": "On Android, the user can review which applications can use premium SMS features in the \"Special access\" page within application settings. \nApplication vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--cd82f432-ee4e-4df0-8500-e381b36479ec", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0684#AN1791", "external_id": "AN1791" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T14:49:38.837Z", "name": "Analytic 1791", "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.\nEnterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "Network Traffic", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "name": "Network Traffic", "channel": "None" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--cda313bc-214f-4bf8-9aa2-b3fb495379c3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0677#AN1780", "external_id": "AN1780" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-22T19:50:50.601Z", "name": "Analytic 1780", "description": "Defender correlates an app's opaque media ingress (download/IPC) with high-entropy or anomalous edits to image/audio/video files in app-writable storage (e.g., bursts of bitmap/codec operations, EXIF/IPTC/XMP mutation, suspicious container growth), followed by decoding/extraction behavior (new non-media artifact derived from the edited media) and optional exfiltration/sharing of the stego media. Focus is on: (1) opaque media arrival \u2192 (2) rapid metadata or pixel-domain mutations with atypical size/entropy deltas \u2192 (3a) decoded payload creation or dynamic load from decoded path, and/or (3b) upload/share of the modified media within a tight window.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app" }, { "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "name": "android:logcat", "channel": "INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "App UID writes edited media to container paths (e.g., /data/data//files/, .../cache/, /storage/emulated/0/Pictures//) with high delta in size vs. original and elevated estimated segment entropy " } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Max time between media download/ingress, edit, and payload use/share (e.g., 10\u2013120s depending on device performance)." }, { "field": "PayloadEntropyThresholdMediaSegment", "description": "Minimum Shannon entropy for edited media regions or container deltas (e.g., \u2265 7.1) to flag likely embedded payloads." }, { "field": "SizeDeltaRatio", "description": "Minimum growth ratio between pre/post edit media (e.g., \u2265 1.25) to reduce noise from normal compression." }, { "field": "EditBurstWriteCount", "description": "Minimum sequential small-write count to indicate chunked embedding or re-encode bursts." }, { "field": "SuspiciousMimeTransitions", "description": "List of atypical MIME/container transitions (e.g., PNG\u2192JPEG with EXIF injection, WAV\u2192M4A) for local tuning." }, { "field": "KnownGoodMediaAppsAllowlist", "description": "Trusted editors/camera apps allowed to perform frequent edits without alerting." }, { "field": "NetworkCDNAllowlist", "description": "CDNs/domains expected to host user media for the enterprise; suppresses FP for legitimate apps." }, { "field": "UserContext", "description": "Foreground, Work Profile, developer mode flags used to scope analytics." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--d11da2b2-1552-4a54-b268-3df1cb877cf6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0685#AN1793", "external_id": "AN1793" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-04T23:55:34.960Z", "name": "Analytic 1793", "description": "A defender observes an application establishing application-layer network sessions (e.g., HTTP(S), WebSocket, DNS, SMTP/IMAP) with destinations and request patterns that deviate from the enterprise baseline for that app category, especially when sessions occur during background execution or while the device is locked and exhibit beacon-like periodicity, anomalous SNI/Host patterns, or suspicious request/response size symmetry consistent with command polling and tasking over legitimate-looking protocols.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "name": "NSM:Flow", "channel": "Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction" } ], "x_mitre_mutable_elements": [ { "field": "BeaconIntervalVarianceThreshold", "description": "Defines acceptable periodicity variance for network communications" }, { "field": "ConnectionFrequencyThreshold", "description": "Baseline-dependent threshold for anomalous connection rates" }, { "field": "PayloadEntropyThreshold", "description": "Defines anomaly conditions for encoded or structured payload content" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0703#AN1822", "external_id": "AN1822" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T17:53:31.236Z", "name": "Analytic 1822", "description": "The defender correlates call-control capability or telecom role state with subsequent unauthorized call initiation, answer, block, redirect, or concealment behavior by an application outside expected telephony workflows. The analytic prioritizes Android-observable control-plane effects: dangerous or role-gated call-control permissions, default dialer or ConnectionService-related role changes, telecom framework invocation for call placement or handling, write activity against call-log records, and call-control activity occurring from background or locked-device context without recent user interaction.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Managed app granted call-control-relevant permissions or telecom role state inconsistent with approved enterprise function before call-control activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Default phone or telecom-handling role changes to non-baselined application or managed app unexpectedly becomes dialer/call-handling app during call-control phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "name": "MobileEDR:telemetry", "channel": "Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between permission or role state, call-control action, call-log mutation, and follow-on network communication" }, { "field": "AllowedAppList", "description": "Apps legitimately expected to initiate or manage calls, such as default dialers, carrier tools, enterprise communications apps, or approved call-screening apps" }, { "field": "AllowedDialerRoles", "description": "Approved packages allowed to become default dialer or telecom-managing app on managed devices" }, { "field": "AllowedDestinationList", "description": "Approved network destinations associated with legitimate VoIP, carrier, or enterprise communications workflows" }, { "field": "ForegroundStateRequired", "description": "Whether call-control actions should occur only during active user-driven workflows" }, { "field": "CallLogModificationThreshold", "description": "Number of call-log insert, update, or delete operations within a short interval required before alerting" }, { "field": "CallActionRateThreshold", "description": "Maximum expected rate of call placement, answer, redirect, or block actions for legitimate app behavior" }, { "field": "HighRiskNumberPatterns", "description": "Environment-specific list of suspicious, premium-rate, or adversary-known phone-number patterns" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--d4dc642d-922b-4476-ad3f-ba23c43702f5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0644#AN1722", "external_id": "AN1722" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-28T17:28:26.921Z", "name": "Analytic 1722", "description": "From the defender view: a sandboxed app handles a high-entropy executable blob, performs rapid decode/decrypt in memory (often with RW\u2192RX or execmem friction), optionally emits a transient .dex/.so into app-writable paths, then immediately loads/executes it (DexClassLoader/dlopen) or spawns a helper. We correlate: (1) opaque blob write/arrival \u2192 (2) decode/unpack or memory protection change \u2192 (3) new code artifact or byte[] class definition \u2192 (4) dynamic load/exec within a tight window.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "android:logcat", "channel": "Create/write of high-entropy files in /data/data//(files|cache)/ or /storage/emulated/0/<...> with .dex/.so/.jar/.tmp/.bin" }, { "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "name": "android:logcat", "channel": "DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "android:logcat", "channel": "dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Correlation window from write\u2192unpack\u2192load (e.g., 5\u201345s; device-dependent)." }, { "field": "PayloadEntropyThreshold", "description": "Entropy to flag packed blobs (e.g., \u2265 7.2)." }, { "field": "RWXPageMinKB", "description": "Minimum RWX allocation size to reduce noise (e.g., \u2265 32KB)." }, { "field": "ExecPathRegex", "description": "Regex for suspicious .dex/.so/.jar/temp paths under app container." }, { "field": "KnownGoodLoadersAllowlist", "description": "Legit libraries/bundles expected to load from writable paths (test/dev builds)." }, { "field": "UserContext", "description": "Foreground/background, Work Profile, developer mode to scope alerts." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--d5926b94-833c-4b29-b611-059f72fcda84", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0650#AN1731", "external_id": "AN1731" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-01T16:01:38.627Z", "name": "Analytic 1731", "description": "An application performs repeated symmetric cryptographic operations (e.g., AES/RC4) on collected or staged data using locally accessible or reusable keys, followed by structured outbound communication. Detection correlates symmetric crypto API invocation + key reuse patterns + data staging + background execution context + network transmission, especially when inconsistent with expected application functionality.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Crypto + data staging occurs while app_state=background OR device_locked=true OR no recent user interaction" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Time correlation between symmetric encryption operations and outbound communication" }, { "field": "EntropyThreshold", "description": "Threshold for detecting encrypted payloads based on entropy scoring" }, { "field": "KeyReuseThreshold", "description": "Number of repeated uses of the same symmetric key within a defined interval" }, { "field": "AllowedCryptoApps", "description": "Apps expected to use symmetric encryption (e.g., messaging, VPN)" }, { "field": "ForegroundStateRequired", "description": "Whether encryption activity should occur only during active user interaction" }, { "field": "BeaconIntervalVariance", "description": "Expected jitter vs periodic encrypted communication" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--d7e3296a-9f95-4061-b3f5-0f02910745ab", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0718#AN1849", "external_id": "AN1849" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T16:02:15.040Z", "name": "Analytic 1849", "description": "The defender correlates managed-app network retrieval from a non-baselined external source with immediate creation of a new local artifact, staged resource, module-like file, or opaque payload inside the app container, followed by optional dynamic loading, handoff, or repeat retrieval behavior. Because iOS offers weaker direct visibility into tool staging internals than Android in many environments, the analytic anchors first on network acquisition plus managed app identity and then strengthens confidence with file creation or process-activity effects where mobile telemetry is available.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Ingress retrieval and staging occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Supervised managed app without approved update, browser, sync, or enterprise-content role retrieves and stages secondary content inconsistent with policy baseline" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between remote retrieval, local staging, and any follow-on file handling" }, { "field": "AllowedAppList", "description": "Managed apps legitimately expected to download secondary content or updates" }, { "field": "AllowedDestinationList", "description": "Approved content, MDM, enterprise, and application-update endpoints" }, { "field": "AllowedContainerPatterns", "description": "Expected app-container paths for legitimate downloaded assets" }, { "field": "IngressBytesThreshold", "description": "Minimum inbound transfer volume consistent with secondary tool or payload retrieval" }, { "field": "ForegroundStateRequired", "description": "Whether retrieval should happen only in active user-driven workflows" }, { "field": "ArtifactRiskPatterns", "description": "Environment-specific file or content patterns considered suspicious such as staged dylib-like resources, html overlays, archives, or opaque blobs" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--d86a141c-b4fa-48fd-a15b-2cd3254b3400", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0606#AN1656", "external_id": "AN1656" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1656", "description": "The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. \nApplication vetting services can look for applications that request permissions to Accessibility services or application overlay. \nMonitor for API calls that are related to GooglePlayServices. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "Process", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--d942e493-32eb-4302-890b-7729f63b7202", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0673#AN1772", "external_id": "AN1772" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-04T23:26:47.489Z", "name": "Analytic 1772", "description": "A defender observes an application holding microphone capture capability transitioning into active microphone resource usage through Android audio APIs (e.g., MediaRecorder or AudioRecord), followed by sustained capture while the application is backgrounded or the device is locked, and subsequent outbound network traffic suggesting potential audio exfiltration or streaming.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "MobileEDR:telemetry", "channel": "Microphone sensor activation or audio recording session initiated by application process" }, { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "MobileEDR:telemetry", "channel": "Application transitions to background or executes while screen locked during microphone session" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Application granted or retaining RECORD_AUDIO permission or privileged CAPTURE_AUDIO_OUTPUT capability" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "MobileEDR:telemetry", "channel": "Application writes audio buffer or recorded audio file into application storage directories" } ], "x_mitre_mutable_elements": [ { "field": "RecordingDurationThreshold", "description": "Minimum microphone session duration before triggering detection to reduce noise from short legitimate captures." }, { "field": "BackgroundCapturePolicy", "description": "Environment-specific baseline for legitimate background microphone usage" }, { "field": "CaptureToNetworkTimeWindow", "description": "Time window correlating microphone activation with outbound network traffic." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--dd1b3351-f8e5-480e-9e7d-f9cfbbf01409", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0719#AN1850", "external_id": "AN1850" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T19:56:13.060Z", "name": "Analytic 1850", "description": "Correlates (1) device posture changes indicating root or elevated privilege state, (2) runtime framework manipulation or injection into application processes, and (3) anomalous API behavior or suppressed security signals. The defender observes a causal chain where an application gains privileged execution context, interacts with system frameworks (e.g., ART/Zygote), and modifies expected API outputs or suppresses security-relevant signals such as permission checks, sensor access reporting, or process visibility.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "device transitions to non-compliant state + root detected or integrity attestation failure (SafetyNet/Play Integrity)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Defines correlation window between root detection, runtime manipulation, and anomalous API behavior" }, { "field": "AllowedAppList", "description": "Baseline of known applications that legitimately use instrumentation or debugging frameworks" }, { "field": "ForegroundStateRequired", "description": "Determines whether suspicious API manipulation must occur in background to increase fidelity" }, { "field": "IntegritySignalSource", "description": "Defines which attestation signals (Play Integrity, OEM attestation) are trusted in the environment" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--dd7242e8-12d5-46b4-bc2c-cff6c2dbaa27", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0605#AN1655", "external_id": "AN1655" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1655", "description": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--dd9778f4-5919-4796-9d4c-b3fb6ace453d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0616#AN1674", "external_id": "AN1674" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1674", "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--dda0e909-cceb-40eb-bff0-6bd0cd74e638", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0612#AN1666", "external_id": "AN1666" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-30T16:54:01.193Z", "name": "Analytic 1666", "description": "The defender correlates Android accessibility or UI-automation-capable behavior from an app identity with injected user-interface actions occurring on behalf of the user in another foreground application. The strongest Android evidence is accessibility-enabled or similarly privileged app behavior that triggers programmatic clicks, global actions, or text insertion into another app's active UI, especially when those actions occur without matching user touch interaction, while the injecting app is backgrounded or foreground-service-only, or when the target foreground app belongs to a sensitive category such as banking, payments, identity, communications, or enterprise access. The detection is strengthened when the injected input sequence is followed by target-app navigation, form submission, transaction progression, or network activity from the target context.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Injecting app remained backgrounded or foreground-service-only while injected click, global action, or text insertion occurred in a different foreground app" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before injected UI action and no matching touch interaction was observed for the target foreground app during injection sequence" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Sensitive app category remained foregrounded during injected UI sequence from different app identity" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window linking injected actions to target-app navigation, submission, or downstream network effects." }, { "field": "AllowedAppList", "description": "Approved accessibility, autofill, remote-assist, or QA/testing apps vary by organization and device group." }, { "field": "AllowedAccessibilityApps", "description": "Approved accessibility-enabled apps vary by assistive and enterprise workflow." }, { "field": "AllowedAutofillApps", "description": "Approved password managers or autofill-capable apps may legitimately inject text into fields." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close an injected action must be to user interaction to be considered expected." }, { "field": "SensitiveForegroundAppCategories", "description": "Categories such as banking, payments, identity, communications, and enterprise access may warrant higher sensitivity." }, { "field": "GlobalActionBurstThreshold", "description": "Threshold for repeated programmatic global actions within a short window." }, { "field": "TextInjectionLengthThreshold", "description": "Minimum inserted text length or field-population pattern considered suspicious outside approved autofill workflows." }, { "field": "ConsentOrSetupGracePeriod", "description": "Grace period allowed after explicit user enablement of approved accessibility or autofill workflows before injection is treated as suspicious." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--ddebe043-2017-44ba-96e5-cbe87916511b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0610#AN1663", "external_id": "AN1663" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-19T15:15:16.075Z", "name": "Analytic 1663", "description": "The defender correlates repeated or periodic app-attributed retrieval from a legitimate public web-service platform with runtime conditions showing that the retrieval is not aligned to normal foreground consumption, user interaction, or approved app role. The strongest Android evidence is a managed or installed app repeatedly issuing inbound-oriented GET, fetch, sync, or content-pull operations to social, collaboration, paste, code-hosting, cloud-storage, messaging, or generic HTTPS platforms while the app is backgrounded, while the device is locked, or without recent user interaction, and without a corresponding outbound writeback to that same service class during the operational window. The detection is strengthened when the retrieval is temporally adjacent to scheduled/background execution, local state changes, or later downstream effects that do not require the same public platform to receive output.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "AppState=background when repeated retrieval from public web-service domain began and no foreground transition occurred during the retrieval sequence" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "DeviceLockState=locked during repeated inbound retrieval sequence from public web-service platform" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before repeated retrieval sequence from public web-service domain from same app identity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "App identity performing repeated one-way retrieval was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for background content retrieval" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window used to evaluate recurring retrieval and absence of same-service writeback." }, { "field": "AllowedAppList", "description": "Approved app identities vary by organization, role, and device group." }, { "field": "AllowedServiceClasses", "description": "Some apps legitimately retrieve content from collaboration, messaging, storage, or code-hosting services." }, { "field": "AllowedReadOnlyMappings", "description": "Defines which apps are expected to only retrieve, and under what foreground/background conditions." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close retrieval must be to user activity to be considered expected" }, { "field": "BeaconIntervalTolerance", "description": "Allowed recurrence interval for benign refresh, sync, or polling behavior differs by app category" }, { "field": "ForegroundStateRequired", "description": "Some apps should only retrieve from certain public service classes while foregrounded" }, { "field": "InboundOutboundRatioThreshold", "description": "Expected ratio of inbound to outbound bytes for benign app refresh behavior varies by workload." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--de37eb78-5f35-4327-99d0-ad6546ab0fb6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0614#AN1670", "external_id": "AN1670" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T17:36:14.306Z", "name": "Analytic 1670", "description": "A defender correlates Safari or embedded web content navigation with short-lived but abnormal web session behavior such as staged redirects, environment fingerprinting, or exploit-preparation fetches, followed by browser/WebView instability, unusual file handling, profile/download prompts, or near-term changes in device or application behavior inconsistent with normal browsing.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "MobileEDR:telemetry", "channel": "Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Post-browse configuration profile prompt, managed/unmanaged app handoff anomaly, or compliance-relevant state change shortly after browser activity" } ], "x_mitre_mutable_elements": [ { "field": "NavigationToExploitWindow", "description": "Time window linking Safari/WebView navigation to redirects, downloads, crashes, or post-visit state changes." }, { "field": "AllowedBrowserApps", "description": "Allow-list of expected browsers and sanctioned embedded web container apps." }, { "field": "RedirectChainThreshold", "description": "Threshold for suspicious redirect depth or cross-domain chaining." }, { "field": "FingerprintingRequestThreshold", "description": "Threshold for suspicious browser/environment enumeration requests during browsing session." }, { "field": "DownloadArtifactThreshold", "description": "Threshold for suspicious downloaded files, profiles, or cached artifacts created after page visit." }, { "field": "PostVisitBehaviorShiftThreshold", "description": "Threshold for abnormal changes in app/device behavior after browsing, such as repeated browser crashes or unexpected handoffs." }, { "field": "AllowedAdTechDomains", "description": "Baseline of expected ad-tech, CDN, and analytics domains to suppress benign browsing noise." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0610#AN1664", "external_id": "AN1664" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-19T15:26:39.271Z", "name": "Analytic 1664", "description": "The defender correlates repeated retrieval-oriented communication from a supervised device or managed iOS app to a legitimate public web-service platform where the activity remains primarily inbound and does not produce corresponding writeback to that same service class during the operational window. The strongest iOS evidence is managed-app or device-attributed communication to collaboration, social, messaging, storage, or generic HTTPS platforms where inbound fetches or content pulls recur during background refresh, while the device is locked, or without recent user interaction, and no matching POST, upload, update, or message-send activity to that same public service class is observed. Because direct local runtime visibility is weaker than Android, the primary analytic is anchored on network directionality plus supervised managed-app and device-state context.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "VPN:MobileProxy", "channel": "Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "DeviceLockState=locked during repeated inbound retrieval sequence from public web-service platform" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before repeated retrieval sequence from public web-service domain from same app identity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Bundle performing repeated one-way retrieval was not present in approved managed-app baseline or was not permitted to use detected public web-service class for background content retrieval" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window used to evaluate recurring retrieval and absence of same-service writeback." }, { "field": "SupervisedRequired", "description": "Strongest app-governance and bundle-baseline analytics depend on supervised iOS devices." }, { "field": "AllowedManagedApps", "description": "Approved managed bundle identities vary by organization and device profile." }, { "field": "AllowedServiceClasses", "description": "Some managed apps legitimately retrieve content from storage, collaboration, or messaging services." }, { "field": "AllowedReadOnlyMappings", "description": "Defines which bundles are expected to retrieve without writeback, and in what context." }, { "field": "BackgroundRefreshBaseline", "description": "Expected background retrieval behavior differs across managed app categories." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close retrieval must be to user activity to be considered expected." }, { "field": "BeaconIntervalTolerance", "description": "Allowed recurrence interval for benign refresh, polling, or sync behavior differs by bundle type." }, { "field": "InboundOutboundRatioThreshold", "description": "Expected ratio of inbound to outbound bytes for benign managed-app refresh behavior varies by workflow." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--e0ee0af8-96f8-4baf-b0f2-63d4b49938f2", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0679#AN1782", "external_id": "AN1782" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-23T20:22:40.361Z", "name": "Analytic 1782", "description": "OLD: Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.\nOn both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. \n\nNEW: A defender observes an Android application requesting for android.permission.READ_CONTACTS, which may also be listed in the application's manifest file. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "android:logcat", "channel": "Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Application granted or retaining the READ_CONTACTS permission." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--e13d662d-a496-4997-b26a-39e71eb17fc2", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0687#AN1797", "external_id": "AN1797" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T20:30:37.215Z", "name": "Analytic 1797", "description": "Correlates (1) application-driven modification of device security posture or monitoring capability (e.g., accessibility abuse, disabling security app components, altering monitoring configuration), (2) immediate degradation or cessation of expected telemetry sources such as mobile EDR, sensor visibility, or system monitoring, and (3) subsequent application activity continuing with reduced observability. The defender observes a causal chain where defensive visibility or enforcement is altered first, followed by continued execution under reduced monitoring conditions.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "change to security-relevant device configuration or managed policy (e.g., accessibility enablement, app admin changes, security service state change) preceding telemetry degradation" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "ecurity or monitoring application transitions to disabled, inactive, or non-reporting state while other applications remain active" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between configuration change, telemetry degradation, and subsequent activity" }, { "field": "ExpectedTelemetrySources", "description": "Baseline set of telemetry sources expected to report continuously (EDR, sensor feeds, monitoring services)" }, { "field": "TelemetryGapThreshold", "description": "Duration or volume threshold defining abnormal loss of telemetry" }, { "field": "AllowedAppList", "description": "Applications legitimately capable of modifying device configuration or security posture" }, { "field": "CriticalControlSet", "description": "Set of security-relevant controls considered high-impact if altered (EDR, accessibility, admin APIs)" }, { "field": "UplinkBytesThreshold", "description": "Outbound traffic threshold used to confirm continued activity during telemetry loss" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--e1db1813-109f-4f24-87e3-5d7b5e506dd3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0627#AN1695", "external_id": "AN1695" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1695", "description": "On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. \nApplication vetting services can detect and closely scrutinize applications that utilize Device Administrator access.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0695#AN1809", "external_id": "AN1809" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-23T20:54:34.747Z", "name": "Analytic 1809", "description": "The defender correlates managed-app or supervised-device camera access with app and device context showing that the capture is inconsistent with expected user-driven recording behavior. The strongest iOS evidence is camera access or camera-adjacent capture activity followed by app-state evidence such as background or low-interaction operation, optional media artifact creation, and optional post-capture network transfer. Because direct low-level runtime visibility is weaker than Android for many enterprises, the primary iOS analytic should anchor on managed app context, device state, and downstream effects around camera use, with local subsystem telemetry treated as enrichment rather than sole proof.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Background activity, low-interaction device state, or DeviceLockState=locked was observed during sustained camera session or immediately before camera access from same bundle context" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "Bundle performing camera session was not present in approved managed-app baseline or was not permitted to use camera for video or interval image capture" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window linking camera access, device state, artifact creation, and optional network transfer." }, { "field": "CaptureDurationThreshold", "description": "Minimum sustained camera session duration considered unusual for the bundle role." }, { "field": "SupervisedRequired", "description": "Strongest bundle-baseline and managed-app analytics depend on supervised iOS devices." }, { "field": "AllowedManagedApps", "description": "Approved managed bundle identities with camera capability vary by organization and device profile." }, { "field": "ForegroundStateRequired", "description": "Some managed apps should only access the camera during visible foreground use." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close camera activation must be to user interaction to be considered expected." }, { "field": "AllowedBackgroundCaptureApps", "description": "Specific approved workflows may legitimately capture media under constrained background-like conditions." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0654#AN1739", "external_id": "AN1739" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-12-02T15:38:03.766Z", "name": "Analytic 1739", "description": "Correlates anomalous modifications to boot-time or logon-time initialization artifacts (for example, init.rc, vendor init scripts, app_process or shell hijacks, and malicious BOOT_COMPLETED BroadcastReceivers) with subsequent unauthorized script execution after boot. From the defender\u2019s perspective this appears as integrity or attestation failures on the system partition, unexpected writes to protected init paths, new apps registering for boot events, and privileged processes invoking scripts or binaries from non-standard locations shortly after the device boots.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "AndroidAttestation:VerifiedBoot", "channel": "Verified Boot or dm-verity reports partition hash mismatch, non-green boot state, or integrity failure" }, { "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "name": "AndroidLogs:FileSystem", "channel": "Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts" }, { "x_mitre_data_component_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "name": "AndroidLogs:Framework", "channel": "BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "AndroidLogs:Kernel", "channel": "init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot" }, { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "AndroidAttestation:SafetyNet", "channel": "SafetyNet attestation with CTSProfileMatch=false or BasicIntegrity=false" }, { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "OEMAttestation:Knox", "channel": "Samsung Knox attestation shows attestation_state=COMPROMISED or warranty bit set" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between boot/attestation event and suspicious script execution (for example, 0\u201310 minutes after BOOT_COMPLETED)." }, { "field": "AuthorizedBootReceivers", "description": "Enterprise-specific allow list of packages expected to register BOOT_COMPLETED receivers." }, { "field": "ProtectedPaths", "description": "OEM- and ROM-specific list of system and vendor init script locations that should be immutable in production devices." }, { "field": "ExpectedAttestationState", "description": "Expected Verified Boot, SafetyNet, and OEM attestation states for enrolled devices. Custom ROM or dev devices may need relaxed thresholds." }, { "field": "IntegrityFailureThreshold", "description": "Number or rate of attestation failures before escalating to a high-severity incident." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--ea9bb66e-1ced-4448-8d64-4184ae1c0ac9", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0709#AN1834", "external_id": "AN1834" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1834", "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--ece5746f-194b-4564-9f5f-7ebf3b23542e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0701#AN1818", "external_id": "AN1818" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1818", "description": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--ee4ce869-6b88-46f8-829a-9838f7607a8f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0663#AN1755", "external_id": "AN1755" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-23T17:50:48.706Z", "name": "Analytic 1755", "description": "Defender observes a mobile device initiating abnormal or exploit-like network interactions with internal or remote services, followed by process-level instability, privilege boundary shifts, or unexpected execution behaviors indicative of service exploitation outcomes.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Connections", "channel": "Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns" }, { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "AndroidLogs:Crash", "channel": "Application or system process crash/restart patterns temporally associated with remote service communications" } ], "x_mitre_mutable_elements": [ { "field": "ProtocolAnomalyThreshold", "description": "Defines deviation tolerance for malformed or exploit-like protocol behavior" }, { "field": "CrashCorrelationWindow", "description": "Temporal linkage between suspicious network activity and process instability" }, { "field": "EnterpriseServiceBaseline", "description": "Environment-specific baseline of expected internal service communications" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0707#AN1830", "external_id": "AN1830" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T17:09:39.997Z", "name": "Analytic 1830", "description": "The defender correlates creation of background scheduler activity with later execution of repeating or deferred work by the same managed app, then raises confidence when the triggered activity produces network, local-write, or other app behavior that occurs outside expected user context. Because iOS exposes weaker direct scheduling observability in many enterprise environments, the analytic anchors first on managed app posture and lifecycle-to-network or lifecycle-to-file effects, with NSBackgroundActivityScheduler-related behavior treated as strongest when runtime telemetry can observe background scheduler usage or execution callbacks.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", "name": "MobiledEDR:telemetry", "channel": "Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between scheduler creation, later execution, and follow-on file or network behavior" }, { "field": "AllowedAppList", "description": "Managed apps legitimately expected to perform background maintenance or deferred sync behavior" }, { "field": "AllowedExecutionIntervals", "description": "Expected repeating interval or defer window for legitimate background activity" }, { "field": "ForegroundStateRequired", "description": "Whether follow-on behavior from background scheduler execution should require recent user interaction" }, { "field": "TriggerToNetworkWindow", "description": "Maximum expected delay between scheduled execution and outbound communication" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound volume after scheduled execution to treat network behavior as meaningful" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f12b94b0-ec2f-4eb1-9ea4-8632e41475a1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0620#AN1681", "external_id": "AN1681" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-02T20:39:33.682Z", "name": "Analytic 1681", "description": "Defender observes an application establishing recurrent HTTPS or FCM-based communication sessions exhibiting structured cadence, asymmetric request/response sizes, or persistent low-volume polling inconsistent with declared application functionality, potentially embedding command data within web protocol traffic.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "NSM:Flow", "channel": "HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline" } ], "x_mitre_mutable_elements": [ { "field": "BeaconIntervalVarianceThreshold", "description": "Defines acceptable deviation in HTTPS polling cadence" }, { "field": "PayloadSymmetryThreshold", "description": "Defines acceptable ratio between request and response sizes" }, { "field": "AppNetworkRoleBaseline", "description": "Expected mapping between application category and network endpoints" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f1e295df-0598-4263-b7c4-737d66660bbe", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0688#AN1798", "external_id": "AN1798" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1798", "description": "If the user sees a notification with text they do not recognize, they should review their list of installed applications.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f2c74903-6770-4f55-9a11-edcf6e00938e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0607#AN1657", "external_id": "AN1657" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T20:47:35.790Z", "name": "Analytic 1657", "description": "The defender correlates app-driven shell-launch behavior with subsequent execution of Unix shell processes or shell-script activity under the same app context, especially when execution occurs from background state, without recent user interaction, or is followed by file-system, privilege-escalation, or network effects inconsistent with the app's declared role. The analytic prioritizes Android-observable control-plane effects: Runtime or ProcessBuilder invocation, spawn of sh/toybox/toolbox/su or equivalent shell process, script-file staging or redirected output, and post-execution network or local artifact creation.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "MobileEDR:telemetry", "channel": "Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation" }, { "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "name": "MobileEDR:telemetry", "channel": "Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between shell-launch method use, Unix shell process creation, and follow-on file or network effects" }, { "field": "AllowedAppList", "description": "Apps legitimately expected to run shells, such as approved terminal apps, enterprise support tools, device management agents, or developer tooling" }, { "field": "AllowedProcessPatterns", "description": "Expected shell binaries, parent-child process chains, and helper-process patterns for approved apps" }, { "field": "ForegroundStateRequired", "description": "Whether Unix shell execution should occur only during active user-driven workflows" }, { "field": "CommandArgumentRiskPatterns", "description": "Environment-specific list of suspicious shell arguments, pipes, redirection, chaining operators, or privilege-escalation references" }, { "field": "SensitivePathPatterns", "description": "Environment-specific list of high-value file paths or system locations touched after shell execution" }, { "field": "PostExecutionWriteThreshold", "description": "Minimum number or size of artifacts created after shell execution to increase confidence" }, { "field": "UplinkBytesThreshold", "description": "Minimum outbound volume after shell execution to treat network behavior as meaningful" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f3068304-de28-4efa-96a5-a360fc7ffc97", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0641#AN1716", "external_id": "AN1716" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-01T15:33:34.145Z", "name": "Analytic 1716", "description": "An application performs explicit cryptographic operations (e.g., symmetric/asymmetric encryption routines) on locally collected or generated data, followed by structured outbound network communication that does not align with expected application behavior, particularly when occurring in the background or without user interaction. Detection correlates crypto API usage + data staging + application state + network transmission patterns.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Crypto + data staging occurs while app_state=background OR device_locked=true OR no recent user interaction" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Time correlation between crypto operation and outbound network transmission" }, { "field": "EntropyThreshold", "description": "Threshold for detecting encoded/encrypted payloads based on entropy scoring" }, { "field": "AllowedCryptoApps", "description": "Apps expected to perform encryption (e.g., VPNs, messaging apps)" }, { "field": "ForegroundStateRequired", "description": "Whether encryption + transmission should only occur during user interaction" }, { "field": "BeaconIntervalVariance", "description": "Expected jitter/interval for legitimate app traffic vs beaconing patterns" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0675#AN1777", "external_id": "AN1777" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-04T23:47:29.735Z", "name": "Analytic 1777", "description": "Defender correlates an application\u2019s location authorization level (When-In-Use vs Always) and entitlement posture with observed location sensor activity that occurs without proximate user interaction, including background updates, followed by periodic outbound network sessions aligned to location update timing\u2014suggesting covert or policy-violating location tracking.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "iOS:unifiedlog", "channel": "Application activates CoreLocation services or CLLocationManager APIs" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "iOS:MDMLog", "channel": "App installed with location usage declarations (WhenInUse/Always usage description) and granted authorization level via managed policy state" } ], "x_mitre_mutable_elements": [ { "field": "ForegroundLocationExpectation", "description": "Defines legitimate location usage relative to app state" }, { "field": "LocationAccessDurationThreshold", "description": "Baseline deviation tolerance for sustained location tracking" }, { "field": "LocationToTransmissionWindow", "description": "Temporal threshold linking location access to network activity" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f3da45bb-921e-4b4c-8fc3-666c7a37dea6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0657#AN1746", "external_id": "AN1746" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1746", "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "name": "User Interface", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f420e242-1e51-4d1a-b063-b15240283e1f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0696#AN1810", "external_id": "AN1810" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1810", "description": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f42dbde8-e7a0-41ed-b13c-7ade678fa782", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0698#AN1813", "external_id": "AN1813" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1813", "description": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f44bab9b-554c-4dc7-b57f-4011ce609c2b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0634#AN1706", "external_id": "AN1706" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-18T19:59:27.650Z", "name": "Analytic 1706", "description": "Defender observes an app (package/UID) repeatedly retrieving network interface configuration attributes (local IP/MAC/interface names, active network capabilities, link properties, proxy/DNS settings, or carrier identifiers when permitted) in a short time window, without corresponding user network-management activity. The pattern is characterized by OS API execution for interface/config reads combined with background state, permission/role context (e.g., device owner/profile owner/carrier/default-SMS), and optional follow-on connectivity tests (gateway/DNS/proxy reachability). Correlate across API execution + app state + (optional) local probe to identify automated network configuration discovery rather than routine connectivity checks.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "Application Vetting", "channel": "None" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindowSeconds", "description": "Window to correlate config reads with app state and optional connectivity tests (e.g., 30\u2013300s)." }, { "field": "MinConfigReadEvents", "description": "Minimum number of network-config read signals before flagging (environment dependent; e.g., \u226510/5m)." }, { "field": "BackgroundOnly", "description": "If true, require the app to be backgrounded to reduce legitimate network UI/diagnostic activity." }, { "field": "AllowlistedPackages", "description": "Connectivity/security/MDM apps expected to query network configuration frequently." }, { "field": "PrivilegedRoleFilter", "description": "If true, elevate severity when an app with device-owner/profile-owner/carrier roles performs bursts." }, { "field": "LocalProbePorts", "description": "Ports considered 'connectivity tests' (e.g., 53, 80, 443, 8080, 3128) \u2013 tune per environment." }, { "field": "NetworkChangeSuppressionSeconds", "description": "Suppress alerts shortly after legitimate network transitions (Wi-Fi join, VPN connect) to reduce noise." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f463fae8-5697-4539-b6c7-e67aadf81c73", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0665#AN1758", "external_id": "AN1758" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-12-04T17:12:06.342Z", "name": "Analytic 1758", "description": "From the defender\u2019s perspective, this strategy correlates signals that a previously unprivileged Android app or process has gained higher privileges through exploitation rather than normal OS or MDM flows. \nObservable behaviors include: \n(1) unprivileged app processes issuing sensitive syscalls or accessing privileged device interfaces, \n(2) bursts of SELinux denials followed by an unexpected domain or permission change, \n(3) creation of new processes running with system or root UID whose lineage traces back to an app sandbox path, and \n(4) crashes or abnormal restarts of privileged system services followed shortly by a new connection or binder interaction from the same low-privileged app. The focus is on unusual privilege transitions, anomalous process ancestry, and OS security policy violations, not on specific exploit binaries or CVE signatures.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "AndroidLogs:Crash", "channel": "Crash or abnormal restart of privileged system services (for example, system_server, mediaserver, installd) followed shortly by new privileged process activity or binder connections from a single app UID" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "AndroidLogs:Kernel", "channel": "Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "AndroidLogs:Framework", "channel": "Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/), or whose parent process originates from an app sandbox" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window (for example, 60\u2013300 seconds) between SELinux events, crashes, and privilege changes to reduce noise while still capturing exploit chains." }, { "field": "AppUidRange", "description": "UID ranges that represent unprivileged application accounts in a specific Android OEM or enterprise deployment." }, { "field": "SensitiveSyscalls", "description": "List of syscalls considered indicative of privilege escalation attempts; may vary by kernel version, OEM drivers, and threat model." }, { "field": "PrivilegedServices", "description": "Set of high-value Android system services where crashes or restarts are particularly suspicious (for example, system_server, mediaserver)." }, { "field": "PrivilegedUids", "description": "Enterprise-defined mapping of UIDs considered elevated (for example, root, system, radio) for alert scoping." } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f6be418e-3fed-4026-b665-f055465c7359", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0638#AN1712", "external_id": "AN1712" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T20:30:39.616Z", "name": "Analytic 1712", "description": "Correlates (1) application access to or staging of local files likely to be of operational, evidentiary, or user value, (2) deletion of those files or wipe-like destructive actions through ordinary storage access, administrative controls, or privileged/rooted paths, and (3) continued app or device activity after deletion, including cleanup, concealment, or outbound transfer. The defender observes a causal chain where files are first accessed or prepared, then removed, and device-side behavior continues after evidence or data is gone.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "application holds device administrator, device owner, or other managed authority capable of wipe or destructive device-level action before bulk file loss or wipe event" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "device posture indicates rooted, compromised, or non-compliant state before protected or atypical filesystem deletion activity" }, { "x_mitre_data_component_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", "name": "MobileEDR:telemetry", "channel": "application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between file access or staging, deletion event, and subsequent activity" }, { "field": "FileScopeSet", "description": "File paths, storage scopes, and data classes monitored for suspicious deletion, such as documents, databases, media, email stores, or update artifacts" }, { "field": "DeletionVolumeThreshold", "description": "Threshold for number, size, or concentration of deleted files required before escalation" }, { "field": "AllowedCleanupApps", "description": "Legitimate applications expected to rotate, purge, or clean up files in the environment" }, { "field": "ProtectedRoleSet", "description": "Administrative or rooted control paths that materially increase destructive file deletion capability" }, { "field": "UplinkBytesThreshold", "description": "Outbound traffic threshold used to distinguish exfiltration-linked cleanup from benign maintenance activity" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--fbc0a210-8942-4fcb-81f1-a120551013d4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0711#AN1837", "external_id": "AN1837" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T21:18:39.945Z", "name": "Analytic 1837", "description": "Correlates (1) application registration or activation of broadcast receivers tied to system or app-generated intents, (2) event-triggered execution while the application is not in the foreground, and (3) immediate follow-on actions such as network communication or data access. The defender observes a causal chain where an external event (e.g., BOOT_COMPLETED, SMS_RECEIVED, USER_PRESENT, CONNECTIVITY_CHANGE) triggers application execution that bypasses normal user-driven lifecycle expectations, followed by background processing or outbound activity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Time correlation window between broadcast event and subsequent execution or network activity" }, { "field": "SensitiveIntentList", "description": "List of broadcast intents considered high-risk (e.g., BOOT_COMPLETED, SMS_RECEIVED)" }, { "field": "AllowedAppList", "description": "Baseline of legitimate applications expected to use broadcast receivers for these intents" }, { "field": "ForegroundStateRequired", "description": "Determines whether execution without foreground presence increases detection confidence" } ] }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--fdb6acce-e069-4e35-8a4b-f4517924f092", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0712#AN1838", "external_id": "AN1838" }, { "source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1838", "description": "Application vetting services could detect applications trying to modify files in protected parts of the operating system.\nVerified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "name": "Sensor Health", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--ff9c219a-b8e7-4b0a-8ea5-4f81341375d1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0715#AN1844", "external_id": "AN1844" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1844", "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "name": "User Interface", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "name": "Application Vetting", "channel": "None" } ], "x_mitre_deprecated": false }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--ffcee6e2-02dd-4053-92a3-8600dd70445e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0704#AN1823", "external_id": "AN1823" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-13T23:48:31.416Z", "name": "Analytic 1823", "description": "A legitimate-seeming application or update is installed through an expected or previously trusted path, but shortly after first run or update the application exhibits new runtime behavior, sensor use, file staging, or network communications inconsistent with its historical baseline, documented role, or prior version. The defender specifically looks for behaviors commonly introduced by compromised third-party libraries or manipulated build tooling, such as unexpected background service activation, first-seen framework use, new permissions exercised, novel network destinations, or dropped local artifacts not aligned to the app's expected function.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "name": "android:MDMLog", "channel": "Managed app distribution, enterprise catalog trust, and update policy remain expected while a known package exhibits materially different post-install or post-update behavior" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Known application version declares, gains, or first exercises storage, communications, accessibility, advertising, analytics, overlay, or sensor-adjacent capability inconsistent with prior version baseline or business role" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "android:MDMLog", "channel": "Newly installed or updated application launches background service, becomes active without recent user interaction, or executes immediately after update in a pattern inconsistent with baseline" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Maximum span between install/update or first launch and the first suspicious behavior drift." }, { "field": "AllowedAppList", "description": "Apps legitimately expected to add services, libraries, or destinations because of approved releases." }, { "field": "AllowedVersionChangeWindow", "description": "Grace period after an approved release during which limited behavior drift may be expected." }, { "field": "CapabilityDriftThreshold", "description": "Threshold for how many new permissions or capabilities are tolerated before behavior is considered suspicious." }, { "field": "SensorDriftThreshold", "description": "Threshold for newly used sensors or privacy-sensitive resources that are tolerated for a known app." }, { "field": "ForegroundStateRequired", "description": "Whether certain framework or sensor behaviors should only be treated as suspicious when they occur without visible user interaction." }, { "field": "RecentUserInteractionWindow", "description": "Time threshold for distinguishing autonomous post-update execution from normal first-run user activity." }, { "field": "DestinationAllowList", "description": "Expected domains, CDNs, telemetry services, or APIs associated with approved app updates and known SDKs." }, { "field": "BehaviorBaselinePopulation", "description": "Devices, versions, or user cohorts used to define normal behavior for the app." } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0082", "external_id": "DC0082" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T18:37:33.992Z", "name": "Network Connection Creation", "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "mobile-attack", "enterprise-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "NSM:Flow", "channel": "log entries indicating network connection initiation on macOS" }, { "name": "auditd:SYSCALL", "channel": "connect" }, { "name": "auditd:SYSCALL", "channel": "execve: Execs of chromium, google-chrome, firefox, libreoffice with http(s) in cmdline" }, { "name": "auditd:SYSCALL", "channel": "connect/sendto" }, { "name": "auditd:SYSCALL", "channel": "open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK" }, { "name": "auditd:SYSCALL", "channel": "socket/connect with TLS context by unexpected process" }, { "name": "auditd:SYSCALL", "channel": "socket/bind: New bind() to a previously closed port shortly after the sequence." }, { "name": "auditd:SYSCALL", "channel": "sendto/connect" }, { "name": "auditd:SYSCALL", "channel": "outbound connections" }, { "name": "auditd:SYSCALL", "channel": "socket/bind: Process binds to a new local port shortly after knock" }, { "name": "auditd:SYSCALL", "channel": "socket/connect calls showing SSH processes forwarding arbitrary ports" }, { "name": "auditd:SYSCALL", "channel": "openat,connect -k discovery" }, { "name": "AWS:VPCFlowLogs", "channel": "Outbound connection to 169.254.169.254 from EC2 workload" }, { "name": "AWS:VPCFlowLogs", "channel": "Large transfer volume (>20MB) from RDS IP range to external public IPs" }, { "name": "AWS:VPCFlowLogs", "channel": "High outbound traffic from new region resource" }, { "name": "AWS:VPCFlowLogs", "channel": "Outbound connections to port 22, 3389" }, { "name": "AWS:VPCFlowLogs", "channel": "Traffic observed on mirror destination instance" }, { "name": "cni:netflow", "channel": "outbound connection to internal or external APIs" }, { "name": "ebpf:syscalls", "channel": "socket connect" }, { "name": "esxi:esxupdate", "channel": "/var/log/esxupdate.log or /var/log/vmksummary.log" }, { "name": "esxi:hostd", "channel": "System service interactions" }, { "name": "esxi:hostd", "channel": "Service initiated connections" }, { "name": "esxi:hostd", "channel": "Service-Based Network Connection" }, { "name": "esxi:vmkernel", "channel": "protocol egress" }, { "name": "esxi:vmkernel", "channel": "network activity" }, { "name": "esxi:vmkernel", "channel": "None" }, { "name": "esxi:vmkernel", "channel": "network session initiation with external HTTPS services" }, { "name": "linux:osquery", "channel": "family=AF_PACKET or protocol raw; process name not in allowlist." }, { "name": "linux:syslog", "channel": "network" }, { "name": "linux:syslog", "channel": "postfix/smtpd" }, { "name": "linux:syslog", "channel": "New Wi-Fi connection established or repeated association failures" }, { "name": "linux:syslog", "channel": "None" }, { "name": "linux:Sysmon", "channel": "EventCode=3, 22" }, { "name": "macos:endpointsecurity", "channel": "ES_EVENT_TYPE_NOTIFY_CONNECT" }, { "name": "macos:osquery", "channel": "process_events/socket_events" }, { "name": "macos:osquery", "channel": "execution of trusted tools interacting with external endpoints" }, { "name": "macos:osquery", "channel": "launchd or network_events" }, { "name": "macos:osquery", "channel": "process_events + launchd" }, { "name": "macos:osquery", "channel": "process_events, socket_events" }, { "name": "macos:osquery", "channel": "CONNECT: Long-lived connections from remote-control parents to external IPs/domains" }, { "name": "macos:osquery", "channel": "None" }, { "name": "macos:unifiedlog", "channel": "connection attempts" }, { "name": "macos:unifiedlog", "channel": "connection open" }, { "name": "macos:unifiedlog", "channel": "network connection events" }, { "name": "macos:unifiedlog", "channel": "First outbound connection from the same PID/user shortly after an inbound trigger." }, { "name": "macos:unifiedlog", "channel": "network sessions initiated by remote desktop apps" }, { "name": "macos:unifiedlog", "channel": "Inbound connections to VNC/SSH ports" }, { "name": "macos:unifiedlog", "channel": "network" }, { "name": "macos:unifiedlog", "channel": "Outbound Traffic" }, { "name": "macos:unifiedlog", "channel": "None" }, { "name": "macos:unifiedlog", "channel": "networkd or socket" }, { "name": "macos:unifiedlog", "channel": "log stream network activity" }, { "name": "macos:unifiedlog", "channel": "Association and authentication events including failures and new SSIDs" }, { "name": "Network", "channel": "None" }, { "name": "Network Traffic", "channel": "None" }, { "name": "networkdevice:Flow", "channel": "Traffic from mirrored interface to mirror target IP" }, { "name": "networkdevice:syslog", "channel": "Dynamic route changes" }, { "name": "NSM:Connections", "channel": "web domain alerts" }, { "name": "NSM:Connections", "channel": "New outbound connection from Safari/Chrome/Firefox/Word" }, { "name": "NSM:Connections", "channel": "Outbound connections from newly spawned child processes or from the browser to uncommon endpoints or on anomalous ports" }, { "name": "NSM:Connections", "channel": "Outbound connection after script or installer launch" }, { "name": "NSM:Firewall", "channel": "Outbound Connections" }, { "name": "NSM:Firewall", "channel": "proxy or TLS inspection logs" }, { "name": "NSM:Flow", "channel": "New TCP/443 or TCP/80 to domain not previously seen for the user/host" }, { "name": "NSM:Flow", "channel": "conn.log" }, { "name": "NSM:Flow", "channel": "Outbound connection to *.tunnels.api.visualstudio.com or *.devtunnels.ms" }, { "name": "NSM:Flow", "channel": "Connections to *.devtunnels.ms or tunnels.api.visualstudio.com" }, { "name": "NSM:Flow", "channel": "HTTPs connection to tunnels.api.visualstudio.com" }, { "name": "NSM:Flow", "channel": "Outbound or inbound TFTP file transfers of ROMMON or firmware binaries" }, { "name": "NSM:Flow", "channel": "connection: TCP connections to ports 139/445 to multiple hosts" }, { "name": "NSM:Flow", "channel": "connection: SMB connections to multiple internal hosts" }, { "name": "NSM:Flow", "channel": "Outbound HTTP/S initiated by newly installed interpreter process" }, { "name": "NSM:Flow", "channel": "outbound connections to RMM services or to unusual destination ports" }, { "name": "NSM:Flow", "channel": "Multiple failed connections (conn_state=REJ/S0 or history has 'R') across distinct ports from the same src_ip followed by success to a specific port." }, { "name": "NSM:Flow", "channel": "Sequence of REJ/S0 then SF success from same src_ip within TimeWindow." }, { "name": "NSM:Flow", "channel": "Series of denied/closed flows to distinct ports then success to mgmt port from same src_ip within TimeWindow." }, { "name": "NSM:Flow", "channel": "Outbound traffic spike through formerly blocked ports/subnets following config change" }, { "name": "NSM:Flow", "channel": "New egress to Internet by the same UID/host shortly after terminal exec" }, { "name": "NSM:Flow", "channel": "connection: Inbound connections to SSH or VPN ports" }, { "name": "NSM:Flow", "channel": "External access to container ports (2375, 6443)" }, { "name": "NSM:Flow", "channel": "remote access" }, { "name": "NSM:Flow", "channel": "Outbound Connections" }, { "name": "NSM:Flow", "channel": "connection attempts" }, { "name": "NSM:Flow", "channel": "High-volume or repeated SNMP GETBULK/GETNEXT queries from untrusted or external IPs" }, { "name": "NSM:Flow", "channel": "outbound connections from host during or immediately after image build" }, { "name": "NSM:Flow", "channel": "new outbound connection from browser/office lineage" }, { "name": "NSM:Flow", "channel": "new outbound connection from exploited lineage" }, { "name": "NSM:Flow", "channel": "Multiple failed connections to closed ports (history contains 'R' or conn_state in {REJ, S0}) followed by a successful handshake to a new port from same src within TimeWindowKnock" }, { "name": "NSM:Flow", "channel": "Closed-port hits followed by success from same src_ip" }, { "name": "NSM:Flow", "channel": "Port-knock pattern from one src to device unicast,broadcast,network addresses on same port within TimeWindowKnock" }, { "name": "NSM:Flow", "channel": "Unexpected inbound/outbound TFTP traffic for device image files" }, { "name": "NSM:Flow", "channel": "Unexpected or unauthorized inbound connections to SNMP, NETCONF, or RESTCONF services" }, { "name": "snmp:access", "channel": "GETBULK/GETNEXT requests for OIDs associated with configuration parameters" }, { "name": "WinEventLog:Microsoft-Windows-Bits-Client/Operational", "channel": "BITS job lifecycle events such as job create/modify/transfer/complete and URL/remote name fields" }, { "name": "WinEventLog:Microsoft-Windows-WLAN-AutoConfig", "channel": "EventCode=8001, 8002, 8003" }, { "name": "WinEventLog:Security", "channel": "EventCode=5156, 5157" }, { "name": "WinEventLog:Sysmon", "channel": "EventCode=3, 22" }, { "name": "WinEventLog:System", "channel": "EventCode=8001" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0035", "external_id": "DC0035" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-23T18:45:08.713Z", "name": "Process Access", "description": "Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - EDR solutions that provide telemetry on inter-process access and memory manipulation.\n- Sysmon (Windows):\n - Event ID 10: Captures process access attempts, including:\n - Source process (initiator)\n - Target process (victim)\n - Access rights requested\n - Process ID correlation\n- Windows Event Logs:\n - Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects.\n - Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes.\n- Linux/macOS Monitoring:\n - AuditD: Monitors process access through syscall tracing (e.g., `ptrace`, `open`, `read`, `write`).\n - eBPF/XDP: Used for low-level monitoring of kernel process access.\n - OSQuery: Query process access behavior via structured SQL-like logging.\n- Procmon (Process Monitor) and Debugging Tools:\n - Windows Procmon: Captures real-time process interactions.\n - Linux strace / ptrace: Useful for tracking process behavior at the system call level.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "WinEventLog:Sysmon", "channel": "EventCode=10" }, { "name": "linux:osquery", "channel": "Process State" }, { "name": "auditd:SYSCALL", "channel": "ptrace attach" }, { "name": "macos:unifiedlog", "channel": "ptrace or task_for_pid" }, { "name": "macos:osquery", "channel": "process_open" }, { "name": "auditd:SYSCALL", "channel": "High frequency of accept(), read(), or SSL_read() syscalls tied to nginx/apache processes" }, { "name": "Apple TCC Logs", "channel": "Microphone Access Events" }, { "name": "auditd:SYSCALL", "channel": "ptrace" }, { "name": "linux:syslog", "channel": "syscalls (open, read, ioctl) on /dev/input or /proc/*/fd/*" }, { "name": "WinEventLog:Sysmon", "channel": "EventCode=25" }, { "name": "macos:endpointsecurity", "channel": "ES_EVENT_TYPE_NOTIFY_OPEN" }, { "name": "macos:unifiedlog", "channel": "Unexpected NSXPCConnection calls by non-Apple-signed or abnormal binaries" }, { "name": "WinEventLog:Security", "channel": "EventCode=4663, 4670, 4656" }, { "name": "macos:unifiedlog", "channel": "Unusual Mach port registration or access attempts between unrelated processes" }, { "name": "macos:unifiedlog", "channel": "subsystem=com.apple.security, library=libsystem_kernel.dylib" }, { "name": "auditd:SYSCALL", "channel": "ptrace syscall or access to /proc/*/mem" }, { "name": "macos:unifiedlog", "channel": "vm_read, task_for_pid, or file open to cookie databases" }, { "name": "linux:osquery", "channel": "process_events" }, { "name": "auditd:SYSCALL", "channel": "ACCESS" }, { "name": "auditd:SYSCALL", "channel": "execve, fork, mmap, ptrace" }, { "name": "auditd:SYSCALL", "channel": "ptrace or process_vm_readv" }, { "name": "macos:osquery", "channel": "unexpected memory inspection" }, { "name": "iOS:unifiedlog", "channel": "Code signing validation events referencing newly written local Mach-O/bundle prior to exec or dlopen" }, { "name": "android:logcat", "channel": "Runtime grant or manifest presence for MANAGE_EXTERNAL_STORAGE/READ_EXTERNAL_STORAGE/READ_MEDIA_*; legacy external storage mode detection" }, { "name": "iOS:unifiedlog", "channel": "Privacy (TCC) prompts/grants for Photos/Files or access changes indicating new visibility into user/app data" }, { "name": "android:logcat", "channel": "Activity/Process state change (mFocusedApp, onResume/onPause) identifying as foreground" }, { "name": "iOS:unifiedlog", "channel": "Foreground/background transition for to contextualize access timing" }, { "name": "android:logcat", "channel": "Grant/activation of BIND_ACCESSIBILITY_SERVICE, BIND_INPUT_METHOD, SYSTEM_ALERT_WINDOW, POST_NOTIFICATIONS for " }, { "name": "iOS:unifiedlog", "channel": "Keyboard extension Full Access change; privacy grant touching input/keyboard categories for " }, { "name": "android:logcat", "channel": "Grant/enablement for BIND_ACCESSIBILITY_SERVICE or BIND_INPUT_METHOD for " }, { "name": "iOS:unifiedlog", "channel": "Keyboard extension Full Access change or related privacy grant for " }, { "name": "android:logcat", "channel": "Grant/enablement of SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, POST_NOTIFICATIONS for " }, { "name": "iOS:unifiedlog", "channel": "Scene/foreground transitions for to contextualize timing" }, { "name": "android:logcat", "channel": "Reads/queries ops for PACKAGE_USAGE_STATS, QUERY_ALL_PACKAGES, BIND_DEVICE_ADMIN, BIND_VPN_SERVICE" }, { "name": "EDR:telemetry", "channel": "Sustained or high-frequency location sensor access, including background location usage" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0055", "external_id": "DC0055" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T18:39:07.536Z", "name": "File Access", "description": "To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: \n\n- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.\n- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).\n- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows).\n- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).\n- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "enterprise-attack", "mobile-attack" ], "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "macOS:unifiedlog", "channel": "looking for file access to scripts with abnormal encoding patterns" }, { "name": "android:logcat", "channel": "READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data//files/, /storage/emulated/0/Download//*)" }, { "name": "android:logcat", "channel": "KeyChain/AndroidKeyStore read of token alias" }, { "name": "android:logcat", "channel": "READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow" }, { "name": "auditd:FILE", "channel": "/home/*/.mozilla/firefox/*/logins.json OR /home/*/.config/google-chrome/*/Login Data" }, { "name": "auditd:FILE", "channel": "/proc/*/mem read attempt" }, { "name": "auditd:FS", "channel": "read: File access to /proc/modules or /sys/module/" }, { "name": "auditd:PATH", "channel": "Read access to known backup software configuration files (e.g., /etc/rsnapshot.conf, /opt/veeam/config.ini)" }, { "name": "auditd:PATH", "channel": "open: Access to sensitive log files (/var/log/auth.log, /var/log/secure, /var/log/syslog)" }, { "name": "auditd:PATH", "channel": "PATH" }, { "name": "auditd:PATH", "channel": "file read" }, { "name": "auditd:SYSCALL", "channel": "open, read, or stat of browser config files" }, { "name": "auditd:SYSCALL", "channel": "open: File access attempt on /tmp/krb5cc_* or /tmp/krb5.ccache" }, { "name": "auditd:SYSCALL", "channel": "openat" }, { "name": "auditd:SYSCALL", "channel": "open" }, { "name": "auditd:SYSCALL", "channel": "open, read" }, { "name": "auditd:SYSCALL", "channel": "open, flock, fcntl, unlink" }, { "name": "auditd:SYSCALL", "channel": "read/open of sensitive files" }, { "name": "auditd:SYSCALL", "channel": "Unusual processes accessing or modifying cookie databases" }, { "name": "auditd:SYSCALL", "channel": "PATH records referencing /dev/video*" }, { "name": "auditd:SYSCALL", "channel": "open, read: /etc/ssl/, /etc/pki/, ~/.pki/nssdb/" }, { "name": "auditd:SYSCALL", "channel": "Processes reading credential or token cache files" }, { "name": "auditd:SYSCALL", "channel": "read/open of sensitive file directories" }, { "name": "auditd:SYSCALL", "channel": "open/read of sensitive config or secret files" }, { "name": "auditd:SYSCALL", "channel": "open/read of sensitive directories" }, { "name": "auditd:SYSCALL", "channel": "open/read: Access to /proc/self/status with focus on TracerPID field" }, { "name": "auditd:SYSCALL", "channel": "open/read access to ~/.bash_history" }, { "name": "auditd:SYSCALL", "channel": "open,read" }, { "name": "auditd:SYSCALL", "channel": "open/read system calls to ~/.bash_history or /etc/shadow" }, { "name": "auditd:SYSCALL", "channel": "read of /run/secrets or docker volumes by non-entrypoint process" }, { "name": "auditd:SYSCALL", "channel": "Reads of ~/.bash_history, ~/.mozilla, or access to /dev/input" }, { "name": "auditd:SYSCALL", "channel": "open/read" }, { "name": "auditd:SYSCALL", "channel": "open: Access to named pipes or FIFO in /tmp or /dev/shm by unexpected processes" }, { "name": "auditd:SYSCALL", "channel": "open or read to browser cookie storage" }, { "name": "auditd:SYSCALL", "channel": "open, read, mount" }, { "name": "auditd:SYSCALL", "channel": "file" }, { "name": "auditd:SYSCALL", "channel": "Access to /var/lib/sss/secrets/secrets.ldb or .secrets.mkey" }, { "name": "auditd:SYSCALL", "channel": "open/read of sensitive directories (/etc, /home/*)" }, { "name": "auditd:SYSCALL", "channel": "PATH" }, { "name": "auditd:SYSCALL", "channel": "open/read on ~/.local/share/keepassxc/* OR ~/.password-store/*" }, { "name": "auditd:SYSCALL", "channel": "attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID" }, { "name": "azure:activity", "channel": "CollectGuestLogs: Unexpected collection of guest logs by Azure VM Agent outside normal maintenance windows" }, { "name": "CloudTrail:GetObject", "channel": "sensitive credential files in buckets or local image storage" }, { "name": "desktop:file_manager", "channel": "nautilus, dolphin, or gvfs logs" }, { "name": "ebpf:syscalls", "channel": "container_file_activity" }, { "name": "ebpf:syscalls", "channel": "open/read on secret mount paths" }, { "name": "esxi:hostd", "channel": "datastore file access" }, { "name": "esxi:hostd", "channel": "read: Access to sensitive log files by non-admin users" }, { "name": "esxi:hostd", "channel": "datastore/log file access" }, { "name": "esxi:hostd", "channel": "vSphere File API Access" }, { "name": "esxi:hostd", "channel": "file copy or datastore upload via HTTPS" }, { "name": "esxi:syslog", "channel": "guest OS outbound transfer logs" }, { "name": "esxi:vmkernel", "channel": "VMFS access logs" }, { "name": "esxis:vmkernel", "channel": "Datastore Access" }, { "name": "File", "channel": "None" }, { "name": "fs:fileevents", "channel": "File system access events with kFSEventStreamEventFlagItemRemoved, kFSEventStreamEventFlagItemRenamed flags for environmental artifact collection (/System/Library, /usr/sbin, plist files)" }, { "name": "fs:fsevents", "channel": "file system events indicating access to system configuration files and environmental information sources" }, { "name": "fs:fsusage", "channel": "file" }, { "name": "fs:fsusage", "channel": "File Access Monitor" }, { "name": "fs:fsusage", "channel": "Disk Activity Tracing" }, { "name": "fs:fsusage", "channel": "filesystem activity" }, { "name": "fs:fsusage", "channel": "Filesystem Call Monitoring" }, { "name": "fs:fsusage", "channel": "read/write" }, { "name": "fs:fsusage", "channel": "file open for known browser cookie paths" }, { "name": "fs:fsusage", "channel": "file reads/writes from /Volumes/" }, { "name": "fs:quarantine", "channel": "/var/log/quarantine.log" }, { "name": "gcp:audit", "channel": "Write operations to storage" }, { "name": "iOS:unifiedlog", "channel": "READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle" }, { "name": "iOS:unifiedlog", "channel": "readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\\\ My\\\\ iPhone with >N distinct paths in TimeWindow" }, { "name": "kubernetes:audit", "channel": "GET or LIST requests to /var/run/secrets/kubernetes.io/serviceaccount/ followed by access to the Kubernetes API server" }, { "name": "linux:osquery", "channel": "/proc/*/maps access" }, { "name": "linux:osquery", "channel": "None" }, { "name": "linux:syslog", "channel": "auth.log or custom tool logs" }, { "name": "linux:syslog", "channel": "/var/log/syslog" }, { "name": "linux:syslog", "channel": "kernel messages related to cryptographic operations, module loading, and filesystem access patterns" }, { "name": "m365:unified", "channel": "FileAccessed, MailboxAccessed" }, { "name": "m365:unified", "channel": "Bulk downloads or API extractions from Microsoft-hosted data repositories (e.g., Dynamics 365)" }, { "name": "macos:endpointsecurity", "channel": "ES_EVENT_TYPE_NOTIFY_OPEN: Open of .dylib/.so in user-writable locations" }, { "name": "macos:endpointsecurity", "channel": "open: Process opens AppleCamera/IOUSB device nodes or AVFoundation frameworks" }, { "name": "macos:endpointsecurity", "channel": "open or read syscall to ~/.bash_history" }, { "name": "macos:endpointsecurity", "channel": "es_event_open, es_event_exec" }, { "name": "macos:keychain", "channel": "Access to Keychain DB or system.keychain" }, { "name": "macos:keychain", "channel": "~/Library/Keychains, /Library/Keychains" }, { "name": "macos:osquery", "channel": "file_events" }, { "name": "macos:osquery", "channel": "None" }, { "name": "macos:unifiedlog", "channel": "Access to ~/Library/*/Safari or Chrome directories by non-browser processes" }, { "name": "macos:unifiedlog", "channel": "file events" }, { "name": "macos:unifiedlog", "channel": "Kerberos framework calls to API:{uuid} cache outside normal process lineage" }, { "name": "macos:unifiedlog", "channel": "~/Library/Application Support/Google/Chrome/*/Login Data OR ~/Library/Application Support/Firefox/*/logins.json" }, { "name": "macos:unifiedlog", "channel": "Read access to Time Machine plist files or CCC configurations in ~/Library/Preferences/" }, { "name": "macos:unifiedlog", "channel": "log stream - file subsystem" }, { "name": "macos:unifiedlog", "channel": "file read of sensitive directories" }, { "name": "macos:unifiedlog", "channel": "Abnormal process access to Safari or Chrome cookie storage" }, { "name": "macos:unifiedlog", "channel": "open: Access to /var/log/system.log or related security event logs" }, { "name": "macos:unifiedlog", "channel": "open/read of *.plist or .env files" }, { "name": "macos:unifiedlog", "channel": "read of user document directories" }, { "name": "macos:unifiedlog", "channel": "read access to ~/Library/Keychains/login.keychain-db" }, { "name": "macos:unifiedlog", "channel": "filesystem and process events" }, { "name": "macos:unifiedlog", "channel": "read access to ~/Library/Keychains or history files by terminal processes" }, { "name": "macos:unifiedlog", "channel": "access to /Volumes/SharePoint or network mount" }, { "name": "macos:unifiedlog", "channel": "Access to ~/Library/Safari/Bookmarks.plist or recent files" }, { "name": "macos:unifiedlog", "channel": "access to keychain database" }, { "name": "macos:unifiedlog", "channel": "log stream - file provider subsystem" }, { "name": "macos:unifiedlog", "channel": "read/write of user documents prior to upload" }, { "name": "macos:unifiedlog", "channel": "open/read access to private key files (id_rsa, *.pem, *.p12)" }, { "name": "macos:unifiedlog", "channel": "read: File access to /System/Library/Extensions/ or related kernel extension paths" }, { "name": "macos:unifiedlog", "channel": "*.opvault OR *.ldb OR *.kdbx" }, { "name": "macos:unifiedlog", "channel": "Recent download opened or executed" }, { "name": "MobileEDR:telemetry", "channel": "Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase" }, { "name": "MobileEDR:telemetry", "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase" }, { "name": "MobileEDR:telemetry", "channel": "application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution" }, { "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", "channel": "Suspicious file execution on removable media path" }, { "name": "WinEventLog:Security", "channel": "EventCode=4663, 4670, 4656" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0039", "external_id": "DC0039" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T17:17:05.280Z", "name": "File Creation", "description": "A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "enterprise-attack", "mobile-attack" ], "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "File", "channel": "None" }, { "name": "WinEventLog:Sysmon", "channel": "EventCode=11" }, { "name": "auditd:SYSCALL", "channel": "creat" }, { "name": "macos:unifiedlog", "channel": "file write" }, { "name": "macos:osquery", "channel": "CREATE/MODIFY: Modification of app.asar inside .app bundle" }, { "name": "auditd:FILE", "channel": "File creation with name starting with '.'" }, { "name": "macos:unifiedlog", "channel": "Creation or modification of browser extension .plist files" }, { "name": "auditd:SYSCALL", "channel": "open or creat syscalls targeting excluded paths" }, { "name": "macos:unifiedlog", "channel": "file creation in AV exclusion directories" }, { "name": "auditd:SYSCALL", "channel": "file creation/modification" }, { "name": "macos:unifiedlog", "channel": "file write/create" }, { "name": "esxi:vmkernel", "channel": "file write" }, { "name": "snmp:syslog", "channel": "firmware write/log event" }, { "name": "auditd:SYSCALL", "channel": "open,creat,rename: Writes in $HOME/Downloads, /tmp, ~/.cache with exe/script/archive/office extensions" }, { "name": "fs:fsevents", "channel": "Create in /Users/*/Downloads or /private/var/folders/* with quarantine attribute" }, { "name": "macos:unifiedlog", "channel": "file events" }, { "name": "esxi:vmkernel", "channel": "VMFS file creation" }, { "name": "auditd:SYSCALL", "channel": "write/open, FIM audit" }, { "name": "fs:fsusage", "channel": "open/write/exec calls" }, { "name": "macos:unifiedlog", "channel": "Creation of .plist under /Library/Managed Preferences/" }, { "name": "fs:fileevents", "channel": "creat" }, { "name": "fs:fsusage", "channel": "disk activity on /Library/LaunchAgents or LaunchDaemons" }, { "name": "macos:osquery", "channel": "file_events" }, { "name": "auditd:SYSCALL", "channel": "open: Write to ~/.vscode-cli/code_tunnel.json" }, { "name": "macos:unifiedlog", "channel": "creation of ~/.vscode-cli/code_tunnel.json" }, { "name": "macos:unifiedlog", "channel": "create/modify dylib files in monitored directories" }, { "name": "auditd:SYSCALL", "channel": "write" }, { "name": "linux:Sysmon", "channel": "New files in /tmp, /var/tmp, $HOME/.cache, executed within TimeWindow after browser HTTP fetch" }, { "name": "macos:unifiedlog", "channel": "New files written to /var/folders, /tmp, ~/Library/Caches, or ~/Downloads by browser context or its children" }, { "name": "auditd:FILE", "channel": "create: New file created in system binaries or temp directories" }, { "name": "macos:unifiedlog", "channel": "File created in ~/Library/LaunchAgents or executable directories" }, { "name": "auditd:SYSCALL", "channel": "open, unlink, rename: File creation or deletion involving critical stored data" }, { "name": "macos:unifiedlog", "channel": "Process wrote large .mov/.mp4 in user temp/hidden dirs" }, { "name": "macos:unifiedlog", "channel": "logd:file write" }, { "name": "fs:fsusage", "channel": "File IO" }, { "name": "auditd:SYSCALL", "channel": "creat, open, write on /etc/systemd/system and /usr/lib/systemd/system" }, { "name": "macos:unifiedlog", "channel": "File creation" }, { "name": "macos:unifiedlog", "channel": "Attachment files written to ~/Downloads or temporary folders" }, { "name": "fs:fsusage", "channel": "file activity" }, { "name": "CloudTrail:PutObject", "channel": "PutObject" }, { "name": "auditd:PATH", "channel": "Creation of files with extensions .sql, .csv, .sqlite, especially in user directories" }, { "name": "macos:unifiedlog", "channel": "Writes of .sql/.csv/.xlsx files to user documents/downloads" }, { "name": "auditd:PATH", "channel": "New .py/.js/.sh files written to ~/.local/, ~/.cache/, or /tmp/ within 5 min of package install" }, { "name": "auditd:SYSCALL", "channel": "write, open, or rename to /etc/systemd/system/*.service" }, { "name": "auditd:FILE", "channel": "create: Creation of .zip, .gz, .bz2 files in /tmp, /var/tmp, or /home directories" }, { "name": "macos:unifiedlog", "channel": "Creation of .zip, .gz, .dmg archives in /Users, /tmp, or application directories" }, { "name": "fs:fsusage", "channel": "file open/write" }, { "name": "macos:endpointsecurity", "channel": "ES_EVENT_TYPE_NOTIFY_CREATE: path under /Users/*/(Downloads|Desktop|Library/*/Containers|Library/Group Containers) AND extension in SuspiciousExtensions" }, { "name": "auditd:SYSCALL", "channel": "open/create/rename: name in (/home/*/Downloads/*|/tmp/*|/run/user/*|/media/*) AND ext in SuspiciousExtensions" }, { "name": "auditd:FILE", "channel": "create: Creation of archive files in /tmp, /var/tmp, or user home directories" }, { "name": "macos:unifiedlog", "channel": "Creation of .zip, .dmg, .tar.gz files in /Users, /tmp, or application directories" }, { "name": "linux:osquery", "channel": "file_events" }, { "name": "macos:unifiedlog", "channel": "File Events" }, { "name": "auditd:SYSCALL", "channel": "File creations of *.qcow2, *.vdi, *.vmdk outside standard VM directories" }, { "name": "macos:unifiedlog", "channel": "Creation or modification of postinstall scripts within .pkg or .mpkg contents" }, { "name": "auditd:SYSCALL", "channel": "open: File creation under /tmp, /var/tmp, ~/.cache with executable bit or shell shebang" }, { "name": "macos:unifiedlog", "channel": "create: New files in /tmp or ~/Library/Application Support/* with executable or script extensions" }, { "name": "auditd:SYSCALL", "channel": "open, write, unlink" }, { "name": "WinEventLog:Sysmon", "channel": "File creation of suspicious scripts/binaries in temporary directories" }, { "name": "macos:unifiedlog", "channel": "File creation of unsigned binaries/scripts in user cache or download directories" }, { "name": "auditd:SYSCALL", "channel": "File creation events in /var/mail or /var/spool/mail exceeding baseline thresholds" }, { "name": "fs:fsusage", "channel": "create: Attachment file creation in ~/Library/Mail directories" }, { "name": "WinEventLog:Microsoft-Windows-Shell-Core", "channel": "New startup folder shortcut or binary placed in Startup directory" }, { "name": "auditd:SYSCALL", "channel": "write or create file after .bash_history access" }, { "name": "auditd:SYSCALL", "channel": "new file created in /var/www/html, /srv/http, or similar web root" }, { "name": "fs:launchdaemons", "channel": "file_create" }, { "name": "auditd:PATH", "channel": "mount target path within /proc/*" }, { "name": "macos:fsevents", "channel": "/Library/StartupItems/, ~/Library/LaunchAgents/" }, { "name": "fs:fsusage", "channel": "write or chmod to ~/Library/LaunchAgents/*.plist" }, { "name": "auditd:PATH", "channel": "creation of .so files in non-standard directories (e.g., /tmp, /home/*)" }, { "name": "auditd:FILE", "channel": "create: Creation of files with anomalous headers and entropy levels in /tmp or user directories" }, { "name": "macos:unifiedlog", "channel": "Creation of files with anomalous headers and entropy values" }, { "name": "auditd:SYSCALL", "channel": "Access or modification to /lib/modules or creation of .ko files" }, { "name": "fs:fsevents", "channel": "Directory events (kFSEventStreamEventFlagItemCreated)" }, { "name": "gcp:workspaceaudit", "channel": "drive.activity logs" }, { "name": "fs:fileevents", "channel": "create/write/rename in user-writable paths" }, { "name": "auditd:PATH", "channel": "WRITE: Drop of binaries/scripts in ~/.local, /tmp, or /opt tool dirs" }, { "name": "macos:osquery", "channel": "CREATE/MODIFY: Creation of LaunchAgents/Daemons plists in user/system locations" }, { "name": "auditd:SYSCALL", "channel": "open,create" }, { "name": "auditd:FILE", "channel": "Creation of hidden files (.*) in sensitive directories (/etc, /var, /usr/bin)" }, { "name": "macos:unifiedlog", "channel": "Creation of LaunchAgents/LaunchDaemons in hidden or non-standard directories" }, { "name": "auditd:FILE", "channel": "create: Creation of files ending in .tar, .gz, .bz2, .zip in /tmp or /var/tmp" }, { "name": "macos:unifiedlog", "channel": "Creation of .zip or .dmg files in user-accessible or temporary directories" }, { "name": "fs:fsusage", "channel": "file write" }, { "name": "macos:endpointsecurity", "channel": "es_event_open" }, { "name": "macos:unifiedlog", "channel": "file create or modify in /etc/emond.d/rules or /private/var/db/emondClients" }, { "name": "auditd:SYSCALL", "channel": "open,creat,rename,write" }, { "name": "macos:unifiedlog", "channel": "Writes under ~/Library/Application Support/Code*/extensions or JetBrains plugins" }, { "name": "AWS:CloudTrail", "channel": "PutObject" }, { "name": "android:logcat", "channel": "App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data//files/, /sdcard/Download/) and high estimated entropy" }, { "name": "iOS:unifiedlog", "channel": "NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application//tmp|Library/Caches)" }, { "name": "android:logcat", "channel": "App UID writes edited media to container paths (e.g., /data/data//files/, .../cache/, /storage/emulated/0/Pictures//) with high delta in size vs. original and elevated estimated segment entropy " }, { "name": "android:logcat", "channel": "Create/write of high-entropy files in /data/data//(files|cache)/ or /storage/emulated/0/<...> with .dex/.so/.jar/.tmp/.bin" }, { "name": "iOS:unifiedlog", "channel": "Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/" }, { "name": "android:logcat", "channel": "Create/write under /data/data//(files|cache)/ or /storage/emulated/0/ with extension .dex/.jar/.so/.zip/.tmp/.js and elevated entropy" }, { "name": "iOS:unifiedlog", "channel": "Create/write in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/ for .js/.bundle/.dylib/.zip with elevated entropy" }, { "name": "android:logcat", "channel": "CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths" }, { "name": "iOS:unifiedlog", "channel": "CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items" }, { "name": "android:logcat", "channel": "CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt)" }, { "name": "iOS:unifiedlog", "channel": "CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches)" }, { "name": "android:logcat", "channel": "CREATE/WRITE paths like /data/data//files/(keys|inputs)/.*\\\\.db|\\\\.txt|\\\\.log" }, { "name": "iOS:unifiedlog", "channel": "CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container" }, { "name": "android:logcat", "channel": "CREATE/WRITE to /data/data//(files|databases)/(keys|inputs|clipboard).*\\\\.(db|sqlite|txt|log)" }, { "name": "iOS:unifiedlog", "channel": "CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container" }, { "name": "android:logcat", "channel": "CREATE/WRITE to /data/data//(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)" }, { "name": "iOS:unifiedlog", "channel": "CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container" }, { "name": "android:logcat", "channel": "CREATE/WRITE /data/data//(files|databases)/(app_inventory|pkg_list).*\\\\.(json|txt|db)" }, { "name": "iOS:unifiedlog", "channel": "CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\\\.(json|plist|db)" }, { "name": "android:logcat", "channel": "CREATE/WRITE /data/data//(files|databases)/(security_inventory|policy_audit).*\\\\.(json|txt|db|plist)" }, { "name": "iOS:unifiedlog", "channel": "CREATE/WRITE of /Library/Caches/security_inventory.*\\\\.(json|plist|db)" }, { "name": "MobileEDR:telemetry", "channel": "Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content" }, { "name": "MobileEDR:telemetry", "channel": "File writes from removable-media or USB-associated paths into download, package staging, temp, or application-accessible storage shortly after USB connection" }, { "name": "MobileEDR:telemetry", "channel": "large file write originating from /mnt/usb or external mounted storage" }, { "name": "MobileEDR:telemetry", "channel": "Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer" }, { "name": "MobileEDR:telemetry", "channel": "App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow" }, { "name": "MobileEDR:telemetry", "channel": "Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class" }, { "name": "MobileEDR:telemetry", "channel": "Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity" }, { "name": "MobileEDR:telemetry", "channel": "App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission" }, { "name": "MobileEDR:telemetry", "channel": "App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission" }, { "name": "MobileEDR:telemetry", "channel": "App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission" }, { "name": "MobileEDR:telemetry", "channel": "Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity" }, { "name": "MobileEDR:telemetry", "channel": "Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity" }, { "name": "MobileEDR:telemetry", "channel": "Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication" }, { "name": "MobileEDR:telemetry", "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase" }, { "name": "MobileEDR:telemetry", "channel": "Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer" }, { "name": "MobileEDR:telemetry", "channel": "Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect" }, { "name": "MobileEDR:telemetry", "channel": "APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement" }, { "name": "MobileEDR:telemetry", "channel": "application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0085", "external_id": "DC0085" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-22T14:48:50.367Z", "name": "Network Traffic Content", "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n - Wireshark / tcpdump / tshark\n - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n - Zeek (formerly Bro)\n - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n - Suricata / Snort (IDS/IPS with PCAP Logging)\n - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "mobile-attack", "enterprise-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Traffic", "channel": "None" }, { "name": "ALB:HTTPLogs", "channel": "AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts" }, { "name": "apache:access_log", "channel": "Unusual HTTP POST or PUT requests to paths such as '/uploads/', '/admin/', or CMS plugin folders" }, { "name": "API:ConfigRepoAudit", "channel": "Access to configuration repository endpoints, unusual enumeration requests or mass downloads" }, { "name": "auditd:SYSCALL", "channel": "setsockopt, ioctl modifying ARP entries" }, { "name": "AWS:VPCFlowLogs", "channel": "Traffic between instances" }, { "name": "AWS:VPCFlowLogs", "channel": "Large volume of malformed or synthetic payloads to application endpoints prior to failure" }, { "name": "AWS:VPCFlowLogs", "channel": "Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs" }, { "name": "AWS:VPCFlowLogs", "channel": "High volume internal-to-internal IP transfer or cross-account cloud transfer" }, { "name": "azure:activity", "channel": "networkInsightsLogs" }, { "name": "azure:vpcflow", "channel": "HTTP requests to 169.254.169.254 or Azure Metadata endpoints" }, { "name": "container:proxy", "channel": "outbound/inbound network activity from spawned pods" }, { "name": "docker:events", "channel": "remote API calls to /containers/create or /containers/{id}/start" }, { "name": "docker:stats", "channel": "unusual network TX/RX byte deltas" }, { "name": "ebpf:syscalls", "channel": "Process within container accesses link-local address 169.254.169.254" }, { "name": "EDR:hunting", "channel": "Advanced Hunting: DeviceProcessEvents + DeviceNetworkEvents" }, { "name": "esxcli:network", "channel": "Socket sessions with randomized payloads inconsistent with TLS" }, { "name": "esxcli:network", "channel": "listening sockets bound to non-standard ports" }, { "name": "esxcli:network", "channel": "listening sockets bound with non-standard encapsulated protocols" }, { "name": "esxcli:network", "channel": "Socket inspection showing RSA key exchange outside baseline endpoints" }, { "name": "esxi:vmkernel", "channel": "Network activity" }, { "name": "esxi:vmkernel", "channel": "Outbound traffic using encoded payloads post-login" }, { "name": "esxi:vmkernel", "channel": "HTTPS POST connections to webhook endpoints" }, { "name": "esxi:vmkernel", "channel": "Inspection of sockets showing encrypted sessions from non-baseline processes" }, { "name": "esxi:vmkernel", "channel": "HTTPS POST connections to pastebin-like domains" }, { "name": "esxi:vmkernel", "channel": "network stack module logs" }, { "name": "esxi:vmkernel", "channel": "Suspicious traffic filtered or redirected by VM networking stack" }, { "name": "esxi:vmkernel", "channel": "VMCI syslog entries" }, { "name": "esxi:vob", "channel": "NFS/remote access logs" }, { "name": "etw:Microsoft-Windows-NDIS-PacketCapture", "channel": "TLS Handshake/Network Flow" }, { "name": "etw:Microsoft-Windows-WinINet", "channel": "HTTPS Inspection" }, { "name": "etw:Microsoft-Windows-WinINet", "channel": "WinINet API telemetry" }, { "name": "gcp:audit", "channel": "network.query*" }, { "name": "gcp:vpcflow", "channel": "first 5m egress to unknown ASNs" }, { "name": "IDS:TLSInspection", "channel": "Malformed certs, incomplete asymmetric handshakes, or invalid CAs" }, { "name": "iOS:unifiedlog", "channel": "Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode" }, { "name": "iOS:unifiedlog", "channel": "Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)" }, { "name": "iOS:unifiedlog", "channel": "WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)" }, { "name": "linux:syslog", "channel": "Query to suspicious domain with high entropy or low reputation" }, { "name": "linux:syslog", "channel": "curl|wget|python .*http" }, { "name": "linux:syslog", "channel": "Unexpected SQL or application log entries showing tampered or malformed data" }, { "name": "linux:syslog", "channel": "Integrity mismatch warnings or malformed packets detected" }, { "name": "linux:syslog", "channel": "DNS response IPs followed by connections to non-standard calculated ports" }, { "name": "linux:syslog", "channel": "Multiple NXDOMAIN responses and high entropy domains" }, { "name": "m365:office", "channel": "External HTTP/DNS connection from Office binary shortly after macro trigger" }, { "name": "macos:unifiedlog", "channel": "process + network metrics correlation for bandwidth saturation" }, { "name": "macos:unifiedlog", "channel": "DNS query with pseudo-random subdomain patterns" }, { "name": "macos:unifiedlog", "channel": "network flow" }, { "name": "macos:unifiedlog", "channel": "curl|osascript.*open location" }, { "name": "macos:unifiedlog", "channel": "subsystem: com.apple.network" }, { "name": "macos:unifiedlog", "channel": "open URL|clicked link|LSQuarantineAttach" }, { "name": "macos:unifiedlog", "channel": "None" }, { "name": "macos:unifiedlog", "channel": "Connections to suspicious domains with mismatched certificate or unusual patterns" }, { "name": "macos:unifiedlog", "channel": "HTTP POST with encoded content in user-agent or cookie field" }, { "name": "macos:unifiedlog", "channel": "Suspicious outbound HTTPS requests to domains flagged as newly registered or untrusted after spearphishing message interaction" }, { "name": "macos:unifiedlog", "channel": "log stream (subsystem: com.apple.system.networking)" }, { "name": "macos:unifiedlog", "channel": "Encrypted connection with anomalous payload entropy" }, { "name": "macos:unifiedlog", "channel": "Rapid incoming TLS handshakes or HTTP requests in quick succession" }, { "name": "macos:unifiedlog", "channel": "network, socket, and http logs" }, { "name": "macos:unifiedlog", "channel": "DNS responses followed by connections to ports outside standard ranges" }, { "name": "macos:unifiedlog", "channel": "Persistent outbound traffic to mining domains" }, { "name": "macos:unifiedlog", "channel": "Encrypted session initiation by unexpected binary" }, { "name": "macos:unifiedlog", "channel": "eventMessage = 'promiscuous'" }, { "name": "macos:unifiedlog", "channel": "outbound HTTPS connections to code repository APIs" }, { "name": "macos:unifiedlog", "channel": "eventMessage = 'open', 'sendto', 'connect'" }, { "name": "macos:unifiedlog", "channel": "dns-sd, mDNSResponder, socket activity" }, { "name": "macos:unifiedlog", "channel": "process + network activity" }, { "name": "macos:unifiedlog", "channel": "subsystem=com.apple.WebKit" }, { "name": "macos:unifiedlog", "channel": "subsystem: com.apple.WebKit or com.apple.WebKit.Networking" }, { "name": "macos:unifiedlog", "channel": "encrypted outbound traffic carrying unexpected application data" }, { "name": "macos:unifiedlog", "channel": "Persistent outbound connections with consistent periodicity" }, { "name": "macos:unifiedlog", "channel": "TLS connections with abnormal handshake sequence or self-signed cert" }, { "name": "macos:unifiedlog", "channel": "Web server process initiating outbound TCP connections not tied to normal server traffic" }, { "name": "macos:unifiedlog", "channel": "outbound TLS connections to cloud storage providers" }, { "name": "macos:unifiedlog", "channel": "outbound HTTPS connections to cloud storage APIs" }, { "name": "macos:unifiedlog", "channel": "process, network" }, { "name": "macos:unifiedlog", "channel": "process = 'ssh' OR eventMessage CONTAINS 'ssh'" }, { "name": "Netfilter/iptables", "channel": "Forwarded packets log" }, { "name": "Network Traffic", "channel": "None" }, { "name": "networkconfig ", "channel": "interface flag PROMISC, netstat | ip link | ethtool" }, { "name": "networkdevice:config", "channel": "NAT table modification (add/update/delete rule)" }, { "name": "networkdevice:IDS", "channel": "content inspection / PCAP / HTTP body" }, { "name": "networkdevice:syslog", "channel": "ACL/Firewall rule modification or new route injection" }, { "name": "networkdevice:syslog", "channel": "config change (e.g., logging buffered, pcap buffers)" }, { "name": "networkdevice:syslog", "channel": "Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests" }, { "name": "networkdevice:syslog", "channel": "Authentication failures or unusual community string usage in SNMP queries" }, { "name": "NSM:Connections", "channel": "Symmetric encryption detected without TLS handshake sequence" }, { "name": "NSM:Connections", "channel": "TLS handshake + HTTP headers" }, { "name": "NSM:Connections", "channel": "Abnormal certificate chains or non-standard ports carrying TLS" }, { "name": "NSM:Connections", "channel": "Unusual POST requests to admin or upload endpoints" }, { "name": "NSM:Connections", "channel": "Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns" }, { "name": "NSM:Content", "channel": "SSL Certificate Metadata" }, { "name": "NSM:Content", "channel": "HTTP Header Metadata" }, { "name": "NSM:Content", "channel": "TLS Fingerprint and Certificate Analysis" }, { "name": "NSM:Content", "channel": "Traffic on RPC DRSUAPI" }, { "name": "NSM:Firewall", "channel": "TLS/HTTP inspection" }, { "name": "NSM:Firewall", "channel": "High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion" }, { "name": "NSM:Firewall", "channel": "Anomalous TCP SYN or ACK spikes from specific source or interface" }, { "name": "NSM:Firewall", "channel": "Outbound encrypted traffic" }, { "name": "NSM:Firewall", "channel": "ICMP/UDP protocol anomaly" }, { "name": "NSM:Flow", "channel": "mqtt.log / xmpp.log (custom log feeds)" }, { "name": "NSM:Flow", "channel": "mqtt.log or AMQP custom log" }, { "name": "NSM:Flow", "channel": "mqtt.log, xmpp.log, amqp.log" }, { "name": "NSM:Flow", "channel": "TCP/UDP" }, { "name": "NSM:Flow", "channel": "TCP session tracking" }, { "name": "NSM:Flow", "channel": "Captured packet payloads" }, { "name": "NSM:Flow", "channel": "session behavior" }, { "name": "NSM:Flow", "channel": "External C2 channel over TLS" }, { "name": "NSM:Flow", "channel": "http/file-xfer: Inbound/outbound transfer of ELF shared objects" }, { "name": "NSM:Flow", "channel": "http.log, files.log" }, { "name": "NSM:Flow", "channel": "unexpected network activity initiated shortly after shell session starts" }, { "name": "NSM:Flow", "channel": "HTTP/WebDAV requests that contain NTLMSSP or PROPFIND/MOVE/OPTIONS with Authorization: NTLM" }, { "name": "NSM:Flow", "channel": "http.log, ssl.log" }, { "name": "NSM:Flow", "channel": "http.log, conn.log" }, { "name": "NSM:Flow", "channel": "SPAN or port-mirrored HTTP/S" }, { "name": "NSM:Flow", "channel": "http.log, ssl.log, websocket.log" }, { "name": "NSM:Flow", "channel": "ssl.log" }, { "name": "NSM:Flow", "channel": "Browser connections to known C2 or dynamic DNS domains" }, { "name": "NSM:Flow", "channel": "Session History Reset" }, { "name": "NSM:Flow", "channel": "HTTP " }, { "name": "NSM:Flow", "channel": "query: High-volume LDAP traffic with filters targeting groupPolicyContainer attributes" }, { "name": "NSM:Flow", "channel": "HTTP/TLS Logs" }, { "name": "NSM:Flow", "channel": "Suspicious URL patterns, uncommon TLDs, short-lived domains, URL shorteners; HTTP method GET/POST" }, { "name": "NSM:Flow", "channel": "Suspicious URL patterns, uncommon TLDs, URL shorteners" }, { "name": "NSM:Flow", "channel": "Suspicious GET/POST; downloader patterns" }, { "name": "NSM:Flow", "channel": "SSH logins or scp activity" }, { "name": "NSM:Flow", "channel": "remote login and transfer" }, { "name": "NSM:Flow", "channel": "conn.log" }, { "name": "NSM:Flow", "channel": "Suspicious long-lived or reattached remote desktop sessions from unexpected IPs" }, { "name": "NSM:Flow", "channel": "HTTP payloads with SQLi/LFI/JNDI/deserialization indicators" }, { "name": "NSM:Flow", "channel": "outbound egress from web host after suspicious request" }, { "name": "NSM:Flow", "channel": "Requests towards cloud metadata or command & control from pod IPs" }, { "name": "NSM:Flow", "channel": "Connections to TCP 427 (SLP) or vCenter web services from untrusted sources" }, { "name": "NSM:Flow", "channel": "NetFlow/sFlow for odd egress to Internet from mgmt plane" }, { "name": "NSM:Flow", "channel": "packet capture or DPI logs" }, { "name": "NSM:Flow", "channel": "http.log" }, { "name": "NSM:Flow", "channel": "SMB2_LOGOFF/SMB_TREE_DISCONNECT" }, { "name": "NSM:Flow", "channel": "Unusual Base64-encoded content in URI, headers, or POST body" }, { "name": "NSM:Flow", "channel": "Base64 strings or gzip in URI, headers, or POST body" }, { "name": "NSM:Flow", "channel": "Inbound connections to 445, 3389, 5985-5986 with high error/connection-reset rate, followed by new outbound sessions from the same host to internal assets within short interval." }, { "name": "NSM:Flow", "channel": "Inbound connections to monitored service ports from external or unusual internal sources; rapid follow-on lateral connections from the same host." }, { "name": "NSM:Flow", "channel": "Inbound to tcp/427 (OpenSLP), tcp/443 (vSphere APIs), tcp/902, tcp/5989 followed by new unexpected outbound sessions from the ESXi/vCenter host." }, { "name": "NSM:Flow", "channel": "Inbound to 22/5900/8080 and follow-on internal connections." }, { "name": "NSM:Flow", "channel": "http: HTTP body or headers contain long Base64 sections; gzip/deflate + Base64" }, { "name": "NSM:Flow", "channel": "http: HTTP body contains long Base64 sections" }, { "name": "NSM:Flow", "channel": "http: Base64/MIME looking payloads from ESXi host IP" }, { "name": "NSM:Flow", "channel": "LDAP Bind/Search" }, { "name": "NSM:Flow", "channel": "LDAP Query" }, { "name": "NSM:Flow", "channel": "smtp.log" }, { "name": "NSM:Flow", "channel": "smtp.log, conn.log" }, { "name": "NSM:Flow", "channel": "remote CLI session detection" }, { "name": "NSM:Flow", "channel": "http.log, ftp.log" }, { "name": "NSM:Flow", "channel": "PCAP inspection" }, { "name": "NSM:Flow", "channel": "large HTTPS POST requests to webhook endpoints" }, { "name": "NSM:Flow", "channel": "Single, low-volume inbound packet (REJ/S0/OTH or uncommon dport/protocol) from src_ip followed by outbound SF connection to src_ip." }, { "name": "NSM:Flow", "channel": "Rare inbound packet characteristics (ICMP/UDP/TCP to uncommon port) from src_ip followed \u2264TimeWindow by outbound SF from same host to src_ip." }, { "name": "NSM:Flow", "channel": "Inbound one-off packet to uncommon port \u2192 outbound SF to same src_ip within TimeWindow." }, { "name": "NSM:Flow", "channel": "large upload to firmware interface port or path" }, { "name": "NSM:Flow", "channel": "http.request: HTTP requests and responses for specific script resources, unexpected content-types (application/octet-stream for script URLs), suspicious referrers, or obfuscated javascript resources" }, { "name": "NSM:Flow", "channel": "http::response: HTTP responses with suspicious content-type for scripts, long obfuscated javascript bodies, or redirects to exploit kit domains" }, { "name": "NSM:Flow", "channel": "HTTP/HTTPS requests for script resources flagged by content inspection (excessive obfuscation, eval usage, unusual redirects)" }, { "name": "NSM:Flow", "channel": "ssl.log + http.log" }, { "name": "NSM:Flow", "channel": "http/file-xfer: Outbound transfer of large video-like MIME types soon after capture" }, { "name": "NSM:Flow", "channel": "Outbound SCP, TFTP, or FTP sessions carrying configuration file content" }, { "name": "NSM:Flow", "channel": "Session Transfer Content" }, { "name": "NSM:Flow", "channel": "Captured File Content" }, { "name": "NSM:Flow", "channel": "C2 exfiltration" }, { "name": "NSM:Flow", "channel": "Transferred file observations" }, { "name": "NSM:Flow", "channel": "http::post: Outbound HTTP POST from host shortly after DB export activity" }, { "name": "NSM:Flow", "channel": "HTTPS API requests to Dropbox, iCloud, Google Drive, OneDrive shortly after DB tool usage" }, { "name": "NSM:Flow", "channel": "Observed downgrade in negotiated cipher suites or TLS/SSH versions across sessions" }, { "name": "NSM:Flow", "channel": "New egress from container IP/namespace to Internet or non-approved CIDRs/ASNs" }, { "name": "NSM:Flow", "channel": "New VM egress to crypto-mining pools or non-approved Internet ranges within minutes of boot" }, { "name": "NSM:Flow", "channel": "http::request: Network connection to package registry or C2 from interpreter shortly after install" }, { "name": "NSM:Flow", "channel": "http::request: Outbound HTTP initiated by Python interpreter" }, { "name": "NSM:Flow", "channel": "DrsAddEntry, DrsReplicaAdd, GetNCChanges calls between non-DC and DCs." }, { "name": "NSM:Flow", "channel": "large HTTPS POST requests to text storage domains" }, { "name": "NSM:Flow", "channel": "Unexpected ARP replies or DNS responses inconsistent with authoritative servers" }, { "name": "NSM:Flow", "channel": "TLS downgrade or inconsistent DNS answers" }, { "name": "NSM:Flow", "channel": "Unusual request pattern leading up to service crash (e.g., malformed or oversized payload)" }, { "name": "NSM:Flow", "channel": "conn.log or http.log" }, { "name": "NSM:Flow", "channel": "http: HTTP bodies/headers contain long tokens with non-standard alphabets or constant-size periodic POSTs" }, { "name": "NSM:Flow", "channel": "dns: DNS labels with excessive length and restricted custom alphabets (e.g., base36 only) repeated frequently" }, { "name": "NSM:Flow", "channel": "http: suspicious long tokens with custom alphabets in body/headers" }, { "name": "NSM:Flow", "channel": "http: HTTP bodies from ESXi host IPs containing long, non-standard tokens" }, { "name": "NSM:Flow", "channel": "Traffic patterns showing downgrade from strong encryption (AES-256) to weaker or plaintext protocols" }, { "name": "NSM:Flow", "channel": "HTTP(S) requests with User-Agents typical of PowerShell or curl from desktop; or URIs matching paste-inspired payload hosts" }, { "name": "NSM:Flow", "channel": "Egress to non-approved networks from host after terminal exec" }, { "name": "NSM:Flow", "channel": "Flow/PCAP analysis for outbound payloads" }, { "name": "NSM:Flow", "channel": "conn.log + files.log + ssl.log" }, { "name": "NSM:Flow", "channel": "HTTPS or custom protocol traffic with large payloads" }, { "name": "NSM:Flow", "channel": "Unexpected script or binary content returned in HTTP response body" }, { "name": "NSM:Flow", "channel": "Injected content responses with unexpected script/malware signatures" }, { "name": "NSM:Flow", "channel": "Content injection observed in HTTPS responses with mismatched certificates or altered payloads" }, { "name": "NSM:Flow", "channel": "Relay patterns across IP hops" }, { "name": "NSM:Flow", "channel": "ldap.log" }, { "name": "NSM:Flow", "channel": "Probe responses from unauthorized APs responding to client probe requests" }, { "name": "NSM:Flow", "channel": "Excessive gratuitous ARP replies on local subnet" }, { "name": "NSM:Flow", "channel": "Inbound HTTP POST with suspicious payload size or user-agent" }, { "name": "NSM:Flow", "channel": "POST requests to .php, .jsp, .aspx files with high entropy body" }, { "name": "NSM:Flow", "channel": "dns.log" }, { "name": "NSM:FLow", "channel": "dns.log" }, { "name": "NSM:Flow", "channel": "Encrypted tunnels or proxy traffic to non-standard destinations" }, { "name": "NSM:Flow", "channel": "large transfer from management IPs to unauthorized host" }, { "name": "NSM:Flow", "channel": "Sustained abnormal inbound request rate targeting application ports (e.g., 80/443/25)" }, { "name": "NSM:Flow", "channel": "ftp.log, smb_files.log" }, { "name": "NSM:Flow", "channel": "ftp.log, conn.log" }, { "name": "NSM:Flow", "channel": "mirror/SPAN port" }, { "name": "NSM:Flow", "channel": "ftp.log, conn.log, smb_files.log" }, { "name": "NSM:Flow", "channel": "SSL/TLS Inspection or PCAP" }, { "name": "NSM:Flow", "channel": "conn.log, ssl.log" }, { "name": "NSM:Flow", "channel": "http, dns, smb, ssl logs" }, { "name": "NSM:Flow", "channel": "dns, ssl, conn" }, { "name": "NSM:Flow", "channel": "conn.log, http.log, dns.log, ssl.log" }, { "name": "NSM:Flow", "channel": "ICMP/UDP traffic (Wireshark, Suricata, Zeek)" }, { "name": "NSM:Flow", "channel": "icmp.log, weird.log" }, { "name": "NSM:Flow", "channel": "ICMP/UDP monitoring (tcpdump, Wireshark, Zeek)" }, { "name": "NSM:Flow", "channel": "Unusual responses to LLMNR (UDP 5355) or NBT-NS (UDP 137) queries from unauthorized hosts" }, { "name": "NSM:Flow", "channel": "DHCP OFFER or ACK with unauthorized DNS/gateway parameters" }, { "name": "NSM:Flow", "channel": "Multiple DHCP OFFER responses for a single DISCOVER" }, { "name": "NSM:Flow", "channel": "SSL/TLS Handshake Analysis" }, { "name": "NSM:Flow", "channel": "HTTP Header Metadata" }, { "name": "NSM:Flow", "channel": "Network Capture TLS/HTTP" }, { "name": "NSM:Flow", "channel": "container egress to unknown IPs/domains" }, { "name": "NSM:Flow", "channel": "HTTP Request Logging" }, { "name": "NSM:Flow", "channel": "ssh connections originating from third-party CIDRs" }, { "name": "NSM:Flow", "channel": "ssh/smb connections to internal resources from third-party devices" }, { "name": "NSM:Flow", "channel": "Degraded encryption throughput or switch to weaker cipher suites compared to historical baselines" }, { "name": "NSM:Flow", "channel": "ssl.log (for TLS handshake analysis), dns.log (tunneling indicators)" }, { "name": "NSM:Flow", "channel": "host switch egress data" }, { "name": "NSM:Flow", "channel": "Outbound HTTP/S" }, { "name": "NSM:Flow", "channel": "ssl.log - Certificate Analysis" }, { "name": "NSM:Flow", "channel": "ssl.log, conn.log" }, { "name": "NSM:Flow", "channel": "ssl.log, x509.log" }, { "name": "NSM:Flow", "channel": "Packets with unusual flags or payloads outside established flows (e.g., WoL magic FF\u00d76 + 16\u00d7MAC)" }, { "name": "NSM:Flow", "channel": "Suspicious POSTs to upload endpoints" }, { "name": "NSM:Flow", "channel": "TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write" }, { "name": "NSM:Flow", "channel": "HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app" }, { "name": "NSM:Flow", "channel": "HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)" }, { "name": "NSM:Flow", "channel": "burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans" }, { "name": "NSM:Flow", "channel": "HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline" }, { "name": "NSM:Flow", "channel": "Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior" }, { "name": "NSM:Flow", "channel": "Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss" }, { "name": "NSM:Flow", "channel": "Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss" }, { "name": "NSM:Flow", "channel": "Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit" }, { "name": "NSM:Flow", "channel": "Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window" }, { "name": "NSM:Flow", "channel": "App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window" }, { "name": "NSM:Flow", "channel": "Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase" }, { "name": "NSM:Flow", "channel": "Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase" }, { "name": "NSM:Flow", "channel": "Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry" }, { "name": "NSM:Flow", "channel": "Traffic spike preceding control crash" }, { "name": "NSM:Inspection", "channel": "TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation" }, { "name": "NSM:Inspection", "channel": "TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect" }, { "name": "saas:box", "channel": "API calls exceeding baseline thresholds" }, { "name": "saas:confluence", "channel": "REST API access from non-browser agents" }, { "name": "TelecomLogs:SS7Signaling", "channel": "Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns" }, { "name": "TelecomLogs:SS7Signaling", "channel": "Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities" }, { "name": "VPN:MobileProxy", "channel": "Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion" }, { "name": "VPN:MobileProxy", "channel": "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class" }, { "name": "VPN:MobileProxy", "channel": "Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior" }, { "name": "VPN:MobileProxy", "channel": "App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow" }, { "name": "VPN:MobileProxy", "channel": "DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity" }, { "name": "VPN:MobileProxy", "channel": "Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category" }, { "name": "VPN:MobileProxy", "channel": "App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow" }, { "name": "VPN:MobileProxy", "channel": "Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval" }, { "name": "VPN:MobileProxy", "channel": "Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity" }, { "name": "VPN:MobileProxy", "channel": "App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class" }, { "name": "VPN:MobileProxy", "channel": "Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content" }, { "name": "VPN:MobileProxy", "channel": "Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile" }, { "name": "VPN:MobileProxy", "channel": "TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session" }, { "name": "VPN:MobileProxy", "channel": "Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior" }, { "name": "VPN:MobileProxy", "channel": "Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception" }, { "name": "VPN:MobileProxy", "channel": "Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception" }, { "name": "WebProxy:AccessLogs", "channel": "SSRF-like patterns accessing metadata endpoint through proxy (e.g., Host: 169.254.169.254)" }, { "name": "WIDS:AssociationLogs", "channel": "Unauthorized AP or anomalous MAC address connection attempts" }, { "name": "WinEventLog:iis", "channel": "IIS Logs" }, { "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", "channel": "Unusual external domain access" }, { "name": "WinEventLog:Sysmon", "channel": "Outbound requests with forged tokens/cookies in headers" }, { "name": "WinEventLog:System", "channel": "EventCode=5005 (WLAN), EventCode=302 (Bluetooth)" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0032", "external_id": "DC0032" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-13T15:49:16.424Z", "name": "Process Creation", "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.. ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "mobile-attack", "enterprise-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Process", "channel": "None" }, { "name": "auditd:SYSCALL", "channel": "execve" }, { "name": "macos:unifiedlog", "channel": "log stream 'eventMessage contains pubsub or broker'" }, { "name": "WinEventLog:Sysmon", "channel": "EventCode=1" }, { "name": "linux:osquery", "channel": "Execution of binary resolved from $PATH not located in /usr/bin or /bin" }, { "name": "macos:unifiedlog", "channel": "Process execution path inconsistent with baseline PATH directories" }, { "name": "macos:endpointsecurity", "channel": "ES_EVENT_TYPE_NOTIFY_EXEC" }, { "name": "WinEventLog:Security", "channel": "EventCode=4688" }, { "name": "linux:osquery", "channel": "process_events" }, { "name": "macos:endpointsecurity", "channel": "exec" }, { "name": "macos:osquery", "channel": "processes" }, { "name": "macos:unifiedlog", "channel": "Execution of launchctl with suspicious arguments" }, { "name": "auditd:SYSCALL", "channel": "execve network tools" }, { "name": "macos:osquery", "channel": "process_events" }, { "name": "auditd:SYSCALL", "channel": "execve calls to soffice.bin with suspicious macro execution flags" }, { "name": "macos:unifiedlog", "channel": "Process execution of Microsoft Word, Excel, PowerPoint with macro execution attempts" }, { "name": "macos:osquery", "channel": "process reading browser configuration paths" }, { "name": "macos:unifiedlog", "channel": "exec logs" }, { "name": "auditd:EXECVE", "channel": "execve: Processes launched with LD_PRELOAD/LD_LIBRARY_PATH pointing to non-system dirs" }, { "name": "macos:endpointsecurity", "channel": "exec: Process execution context for loaders calling dlopen/dlsym" }, { "name": "auditd:EXECVE", "channel": "EXECVE" }, { "name": "auditd:EXECVE", "channel": "execution of unexpected binaries during user shell startup" }, { "name": "macos:unifiedlog", "channel": "launch of Terminal.app or shell with non-standard environment setup" }, { "name": "macos:endpointsecurity", "channel": "ES_EVENT_TYPE_NOTIFY_EXEC with unusual parent-child process relationships from zsh" }, { "name": "auditd:SYSCALL", "channel": "execve of systemctl or service stop" }, { "name": "auditd:SYSCALL", "channel": "execve of launchctl or pkill" }, { "name": "macos:unifiedlog", "channel": "process::exec" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of klist, kinit, or tools interacting with ccache outside normal user context" }, { "name": "macos:osquery", "channel": "Execution of non-standard binaries accessing Kerberos APIs" }, { "name": "auditd:SYSCALL", "channel": "execve: Electron-based binary spawning shell or script interpreter" }, { "name": "macos:unifiedlog", "channel": "Electron app spawning unexpected child process" }, { "name": "esxi:shell", "channel": "/root/.ash_history or /etc/init.d/*" }, { "name": "auditd:SYSCALL", "channel": "execve calls with high-frequency or known bandwidth-intensive tools" }, { "name": "macos:unifiedlog", "channel": "exec or spawn calls to proxy tools or torrent clients" }, { "name": "containers:osquery", "channel": "bandwidth-intensive command execution from within a container namespace" }, { "name": "macos:unifiedlog", "channel": "process launch" }, { "name": "macos:unifiedlog", "channel": "log stream --info --predicate 'subsystem == \"com.apple.cfprefsd\"'" }, { "name": "macos:unifiedlog", "channel": "execution of security, sqlite3, or unauthorized binaries" }, { "name": "macos:unifiedlog", "channel": "Unexpected applications generating outbound DNS queries" }, { "name": "linux:Sysmon", "channel": "EventCode=1" }, { "name": "macos:osquery", "channel": "execve" }, { "name": "macos:unifiedlog", "channel": "Unexpected child process of Safari or Chrome" }, { "name": "auditd:SYSCALL", "channel": "execve or syscall invoking vm artifact check commands (e.g., dmidecode, lspci, dmesg)" }, { "name": "macos:unifiedlog", "channel": "execution of system_profiler, ioreg, kextstat with argument patterns related to VM/sandbox checks" }, { "name": "macos:unifiedlog", "channel": "process writes or modifies files in excluded paths" }, { "name": "macos:unifiedlog", "channel": "process" }, { "name": "macos:unifiedlog", "channel": "com.apple.mail.* exec.*" }, { "name": "macos:unifiedlog", "channel": "execution of memory inspection tools (lldb, gdb, osqueryi)" }, { "name": "esxi:vobd", "channel": "/var/log/vobd.log" }, { "name": "kubernetes:apiserver", "channel": "kubectl exec or kubelet API calls targeting running pods" }, { "name": "docker:audit", "channel": "Process execution events within container namespace context" }, { "name": "auditd:SYSCALL", "channel": "process persists beyond parent shell termination" }, { "name": "macos:unifiedlog", "channel": "background process persists beyond user logout" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of scripts or binaries sourced from mail directories (/var/mail, ~/Maildir)" }, { "name": "macos:unifiedlog", "channel": "Preview.app, Safari.app, or Mail.app spawning new processes outside normal patterns" }, { "name": "esxi:hostd", "channel": "process execution across cloud VM" }, { "name": "auditd:EXECVE", "channel": "systemctl spawning managed processes" }, { "name": "macos:unifiedlog", "channel": "None" }, { "name": "esxi:shell", "channel": "/var/log/shell.log" }, { "name": "macos:unifiedlog", "channel": "Execution of processes linked to hijacked sessions (e.g., anomalous parent-child process lineage)" }, { "name": "macos:unifiedlog", "channel": "exec events where web process starts a shell/tooling" }, { "name": "docker:events", "channel": "Docker/Kubernetes audit of exec/attach (kubectl exec) or unexpected child processes inside container" }, { "name": "macos:unifiedlog", "channel": "exec of osascript, bash, curl with suspicious parameters" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of container management CLIs (docker, crictl, kubectl) or interpreted shells (sh, bash, python) within container context" }, { "name": "macos:endpointsecurity", "channel": "es_event_exec" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of discovery commands targeting backup binaries, processes, or config paths" }, { "name": "macos:unifiedlog", "channel": "Process execution logs showing discovery commands like mdfind, system_profiler, or launchctl list" }, { "name": "macos:osquery", "channel": "process_events OR launchd" }, { "name": "auditd:EXECVE", "channel": "execve" }, { "name": "macos:osquery", "channel": "launchd or process_events" }, { "name": "macos:unifiedlog", "channel": "process and file events via log stream" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of scripts or binaries spawned from browser processes" }, { "name": "macos:unifiedlog", "channel": "Browser processes launching unexpected interpreters (osascript, bash)" }, { "name": "macos:unifiedlog", "channel": "exec: Execution of defaults, plutil, or common editors (vim/nano) targeting plist files" }, { "name": "auditd:SYSCALL", "channel": "EXECVE" }, { "name": "macos:unifiedlog", "channel": "process:exec" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of bash, python, or perl processes spawned by browser/email client" }, { "name": "macos:unifiedlog", "channel": "Execution of osascript, bash, or Terminal initiated from Mail.app or Safari" }, { "name": "auditd:SYSCALL", "channel": "execve of /bin/sh,/bin/bash,/usr/bin/curl,/usr/bin/python by service accounts (e.g., apache, mysql, nobody) immediately after inbound network activity." }, { "name": "macos:osquery", "channel": "parent_name in ('sshd','httpd','screensharingd') spawning shells or scripting runtimes." }, { "name": "macos:unifiedlog", "channel": "process activity stream" }, { "name": "auditd:SYSCALL", "channel": "SYSCALL record where exe contains passwd/userdel/chage and auid != root" }, { "name": "macos:unifiedlog", "channel": "Post-login execution of unrecognized child process from launchd or loginwindow" }, { "name": "auditd:SYSCALL", "channel": "execve of base64|openssl|xxd|python|perl with arguments matching Base64 flags" }, { "name": "macos:unifiedlog", "channel": "process command line contains base64, -enc, openssl enc -base64" }, { "name": "macos:endpointsecurity", "channel": "exec: arguments contain Base64-like strings" }, { "name": "esxi:shell", "channel": "commands containing base64, openssl enc -base64, xxd -p" }, { "name": "macos:unifiedlog", "channel": "Execution of process launched via loginwindow session restore" }, { "name": "macos:unifiedlog", "channel": "process: exec + filewrite: ~/.ssh/authorized_keys" }, { "name": "containerd:runtime", "channel": "/var/log/containers/*.log" }, { "name": "macos:unifiedlog", "channel": "Execution of Java apps or other processes with hidden window attributes" }, { "name": "macos:unifiedlog", "channel": "Process Execution" }, { "name": "auditd:SYSCALL", "channel": "execve on code or jetbrains-gateway with remote flags" }, { "name": "macos:unifiedlog", "channel": "process: code or jetbrains-gateway launching with --tunnel or --remote" }, { "name": "macos:unifiedlog", "channel": "log stream --predicate 'processImagePath CONTAINS \"curl\" OR \"osascript\"'" }, { "name": "auditd:EXECVE", "channel": "Execution of dd, shred, wipe targeting block devices" }, { "name": "auditd:SYSCALL", "channel": "execve of sleep or ping command within script interpreted by bash/python" }, { "name": "auditd:SYSCALL", "channel": "execve or socket/connect system calls from processes using crypto libraries" }, { "name": "macos:unifiedlog", "channel": "Process using AES/RC4 routines unexpectedly" }, { "name": "linux:osquery", "channel": "execution of known firewall binaries" }, { "name": "auditd:SYSCALL", "channel": "type=EXECVE or SYSCALL for /bin/date, /usr/bin/timedatectl, /sbin/hwclock, /bin/cat /etc/timezone, /bin/cat /proc/uptime" }, { "name": "linux:osquery", "channel": "execve: command like 'date', 'timedatectl', 'hwclock', 'cat /etc/timezone'" }, { "name": "macos:unifiedlog", "channel": "process exec events of systemsetup, date, ioreg with command_line parameters indicating time discovery" }, { "name": "macos:endpointsecurity", "channel": "exec: binary == \"/usr/sbin/systemsetup\" and args contains \"-gettimezone\"" }, { "name": "macos:osquery", "channel": "execve: command LIKE '%systemsetup -gettimezone%' OR '%date%'" }, { "name": "macos:unifiedlog", "channel": "execution of osascript, curl, or unexpected automation" }, { "name": "macos:unifiedlog", "channel": "exec /usr/bin/pwpolicy" }, { "name": "auditd:SYSCALL", "channel": "socket(AF_PACKET|AF_INET, SOCK_RAW, *), setsockopt(\u2026 SO_ATTACH_FILTER|SO_ATTACH_BPF \u2026), bpf(cmd=BPF_PROG_LOAD), open/openat path=\"/dev/bpf*\" (BSD/macOS-like) or setcap cap_net_raw." }, { "name": "linux:syslog", "channel": "KERN messages about eBPF program load/verify or LSM denials related to bpf." }, { "name": "OpenBSM:AuditTrail", "channel": "open/openat of /dev/bpf*; ioctl BIOCSETF-like operations." }, { "name": "macos:unifiedlog", "channel": "Exec of tcpdump, rvictl, custom tools linked to libpcap.A.dylib; sysextd/systemextensionsctl events for NetworkExtension content filters." }, { "name": "auditd:EXECVE", "channel": "/usr/sbin/postfix, /usr/sbin/exim, /usr/sbin/sendmail" }, { "name": "auditd:SYSCALL", "channel": "execution of known flash tools (e.g., flashrom, fwupd)" }, { "name": "macos:unifiedlog", "channel": "com.apple.firmwareupdater activity or update-firmware binary invoked" }, { "name": "auditd:SYSCALL", "channel": "execve of system tools like dmidecode, lspci, lscpu, dmesg, systemd-detect-virt" }, { "name": "macos:unifiedlog", "channel": "exec or spawn of 'system_profiler', 'ioreg', 'kextstat', 'sysctl', or calls to sysctl API" }, { "name": "macos:endpointSecurity", "channel": "ES_EVENT_TYPE_NOTIFY_EXEC" }, { "name": "auditd:SYSCALL", "channel": "execve: Suspicious binaries or scripts interacting with authentication binaries (sshd, gdm, login)" }, { "name": "macos:osquery", "channel": "execve: Processes unexpectedly invoking Keychain or authentication APIs" }, { "name": "auditd:SYSCALL", "channel": "execve: execve calls where a browser/webview process is parent and child is interpreter (python, sh, ruby) or downloader (curl, wget)" }, { "name": "macos:unifiedlog", "channel": "process_create: Process creation where parent is Safari/Google Chrome and child is script interpreter or signed-but-unusual helper binary" }, { "name": "auditd:EXECVE", "channel": "None" }, { "name": "macos:unifiedlog", "channel": "process:launch" }, { "name": "auditd:EXECVE", "channel": "Shell commands invoked by SQL process such as postgres, mysqld, or mariadbd" }, { "name": "auditd:SYSCALL", "channel": "execve of smbclient, smbmap, rpcclient, nmblookup, crackmapexec smb" }, { "name": "macos:endpointsecurity", "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: Process execution of \"sharing -l\", \"smbutil view\", \"mount_smbfs\"" }, { "name": "macos:unifiedlog", "channel": "Execution of scp, rsync, curl with remote destination" }, { "name": "macos:unifiedlog", "channel": "logMessage contains pbpaste or osascript" }, { "name": "auditd:SYSCALL", "channel": "execve call with argv matching known disk enumeration commands (lsblk, parted, fdisk)" }, { "name": "macos:unifiedlog", "channel": "process launch of diskutil or system_profiler with SPStorageDataType" }, { "name": "esxi:hostd", "channel": "execution of esxcli with args matching 'storage', 'filesystem', 'core device list'" }, { "name": "macos:unifiedlog", "channel": "Mail.app executing with parameters updating rules state" }, { "name": "esxi:shell", "channel": "/var/log/vmkernel.log, /var/log/vmkwarning.log" }, { "name": "macos:endpointsecurity", "channel": "exec: Exec of ffmpeg, avfoundation-based binaries, or custom signed apps accessing camera" }, { "name": "kubernetes:apiserver", "channel": "exec into pod followed by secret retrieval via API" }, { "name": "macos:unifiedlog", "channel": "process_name IN (\"VBoxManage\", \"prlctl\") AND command CONTAINS (\"list\", \"show\")" }, { "name": "macos:unifiedlog", "channel": "exec srm|exec openssl|exec gpg" }, { "name": "linux:osquery", "channel": "Process execution with LD_PRELOAD or modified library path" }, { "name": "macos:unifiedlog", "channel": "Execution of process with DYLD_INSERT_LIBRARIES set" }, { "name": "linux:Sysmon", "channel": "process creation events linked to container namespaces executing host-level binaries" }, { "name": "macos:unifiedlog", "channel": "process and signing chain events" }, { "name": "macos:unifiedlog", "channel": "launchservices events for misleading extensions" }, { "name": "fs:fsusage", "channel": "Execution of disguised binaries" }, { "name": "linux:osquery", "channel": "process listening or connecting on non-standard ports" }, { "name": "macos:unifiedlog", "channel": "launchd services binding to non-standard ports" }, { "name": "auditd:SYSCALL", "channel": "execve, connect" }, { "name": "esxi:cron", "channel": "process or cron activity" }, { "name": "macos:unifiedlog", "channel": "Execution of binaries with unsigned or anomalously signed certificates" }, { "name": "auditd:SYSCALL", "channel": "execve logging for /usr/bin/systemctl and systemd-run" }, { "name": "macos:osquery", "channel": "Invocation of osascript or dylib injection" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of files saved in mail or download directories" }, { "name": "macos:unifiedlog", "channel": "Execution of Terminal, osascript, or other interpreters originating from Mail or Preview" }, { "name": "macos:unifiedlog", "channel": "process events" }, { "name": "linux:syslog", "channel": "Unauthorized sudo or shell access, especially leading to file changes in /var/www or /srv/http" }, { "name": "macos:unifiedlog", "channel": "Execution of unexpected terminal or web scripts modifying /Library/WebServer/Documents" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of CLI tools like psql, mysql, mongo, sqlite3" }, { "name": "macos:unifiedlog", "channel": "Process start of Java or native DB client tools" }, { "name": "macos:unifiedlog", "channel": "loginwindow or tccd-related entries" }, { "name": "macos:osquery", "channel": "query: process_events, launchd, and tcc.db access" }, { "name": "ebpf:syscalls", "channel": "process execution or network connect from just-created container PID namespace" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of pip, npm, gem, or similar package managers" }, { "name": "macos:unifiedlog", "channel": "Command line invocation of pip3, brew install, npm install from interactive Terminal" }, { "name": "auditd:SYSCALL", "channel": "fork/exec of service via PID 1 (systemd)" }, { "name": "auditd:EXECVE", "channel": "Execution of ssh/scp/sftp without corresponding authentication log" }, { "name": "macos:unifiedlog", "channel": "Execution of ssh or sftp without corresponding login event" }, { "name": "auditd:SYSCALL", "channel": "execve: execve where exe=/usr/bin/python3 or similar interpreter" }, { "name": "macos:unifiedlog", "channel": "launch of remote desktop app or helper binary" }, { "name": "macos:unifiedlog", "channel": "Unexpected processes making network calls based on DNS-derived ports" }, { "name": "macos:unifiedlog", "channel": "launchctl spawning new processes" }, { "name": "macos:unifiedlog", "channel": "launchctl activity and process creation" }, { "name": "containerd:events", "channel": "New container with suspicious image name or high resource usage" }, { "name": "macos:unifiedlog", "channel": "Execution of Python, Swift, or other binaries invoking archiving libraries" }, { "name": "linux:osquery", "channel": "Processes linked with libssl or crypto libraries making outbound connections" }, { "name": "macos:unifiedlog", "channel": "Process invoking SSL routines from Security framework" }, { "name": "auditd:SYSCALL", "channel": "Execution of binaries located in /etc/init.d/ or systemd service paths" }, { "name": "macos:unifiedlog", "channel": "Execution of binary listed in newly modified LaunchAgent plist" }, { "name": "macos:unifiedlog", "channel": "Execution of bless or nvram modifying boot parameters" }, { "name": "macos:unifiedlog", "channel": "Unexpected processes registered with launchd" }, { "name": "macos:unifiedlog", "channel": "Process launch" }, { "name": "macos:unifiedlog", "channel": "execution of curl, osascript, or unexpected Office processes" }, { "name": "macos:osquery", "channel": "exec" }, { "name": "macos:unifiedlog", "channel": "Trust validation failures or bypass attempts during notarization and code signing checks" }, { "name": "esxi:vmkernel", "channel": "spawned shell or execution environment activity" }, { "name": "macos:unifiedlog", "channel": "process_exec: image in {/bin/bash,/bin/zsh,/usr/bin/osascript,/usr/bin/python*,/usr/bin/curl,/usr/bin/ssh,/usr/bin/open} AND parent in {Preview, TextEdit, Microsoft Word, Microsoft Excel, AdobeReader, Archive Utility, Finder}" }, { "name": "auditd:SYSCALL", "channel": "execve: exe in {/bin/bash,/bin/sh,/usr/bin/python*,/usr/bin/perl,/usr/bin/php,/usr/bin/node,/usr/bin/curl,/usr/bin/wget,/usr/bin/xdg-open,/usr/bin/ssh,/usr/bin/rundll32 (wine)} AND ppid process is a document viewer/browser" }, { "name": "auditd:EXECVE", "channel": "Execution of dd/sgdisk with arguments writing to sector 0 or partition table" }, { "name": "macos:unifiedlog", "channel": "Execution of zip, ditto, hdiutil, or openssl by processes not normally associated with archiving" }, { "name": "macos:unifiedlog", "channel": "process execution events for chmod, chown, chflags with unusual parameters or targets" }, { "name": "m365:defender", "channel": "AdvancedHunting(DeviceEvents, ProcessCreate, ImageLoad, AMSI/ETW derived signals)" }, { "name": "macos:unifiedlog", "channel": "execve or dylib load from memory without backing file" }, { "name": "auditd:SYSCALL", "channel": "execve: Commands that alter firewall or start listeners: iptables|nft|ufw|firewall-cmd|pfctl|systemctl start sshd/telnet/dropbear; raw-socket/libpcap tools (tcpdump, tshark, nmap --raw)." }, { "name": "macos:unifiedlog", "channel": "exec: Execution of pfctl, socketfilterfw, launchctl start ssh/telnet, libpcap consumers." }, { "name": "esxi:shell", "channel": "Shell Execution" }, { "name": "macos:unifiedlog", "channel": "Unusual child process tree indicating attempted recovery after crash" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of binaries/scripts presenting false health messages for security daemons" }, { "name": "macos:unifiedlog", "channel": "Execution of processes mimicking Apple Security & Privacy GUIs" }, { "name": "auditd:SYSCALL", "channel": "execve, setifflags" }, { "name": "macos:osquery", "channel": "process_events where path like '%tcpdump%'" }, { "name": "auditd:EXECVE", "channel": "Execution of dd, shred, or wipe with arguments targeting block devices" }, { "name": "auditd:EXECVE", "channel": "systemctl stop auditd, kill -9 , or modifications to /etc/selinux/config" }, { "name": "macos:unifiedlog", "channel": "execution of curl, git, or Office processes with network connections" }, { "name": "macos:unifiedlog", "channel": "log stream - process subsystem" }, { "name": "auditd:SYSCALL", "channel": "execve calls for qemu-system*, kvm, or VBoxHeadless" }, { "name": "macos:unifiedlog", "channel": "Process execution for VBoxHeadless, prl_vm_app, vmware-vmx" }, { "name": "macos:unifiedlog", "channel": "process logs" }, { "name": "esxi:shell", "channel": "None" }, { "name": "auditd:SYSCALL", "channel": "execve of interpreters (python, perl), custom binaries, or shell utilities with long arguments containing non-standard tokens" }, { "name": "macos:endpointsecurity", "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: arguments contain long, non-standard tokens / custom alphabets" }, { "name": "macos:unifiedlog", "channel": "command line or log output shows non-standard encoding routines" }, { "name": "esxi:shell", "channel": "commands containing long non-standard tokens or custom lookup tables" }, { "name": "macos:unifiedlog", "channel": "Execution of /usr/sbin/installer spawning child process from within /private/tmp or package contents" }, { "name": "auditd:SYSCALL", "channel": "Execution of dpkg or rpm followed by fork/execve from within postinst, prerm, etc." }, { "name": "macos:unifiedlog", "channel": "execve: Helper tools invoked through XPC executing unexpected binaries" }, { "name": "macos:unifiedlog", "channel": "execution of modified binary without valid signature" }, { "name": "auditd:SYSCALL", "channel": "execve: exe in (/usr/bin/bash,/usr/bin/sh,/usr/bin/zsh,/usr/bin/python*) AND cmdline matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64\\s*-d|python\\s*-c'" }, { "name": "macos:unifiedlog", "channel": "exec: ParentImage in (Terminal, iTerm2) AND Image in (/bin/zsh,/bin/bash,/usr/bin/python*) AND CommandLine matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64 -D|python -c'" }, { "name": "macos:unifiedlog", "channel": "process created with repeated ICMP or UDP flood behavior" }, { "name": "fs:fsusage", "channel": "binary execution of security_authtrampoline" }, { "name": "macos:unifiedlog", "channel": "process: exec" }, { "name": "esxi:vmkernel", "channel": "Exec" }, { "name": "macos:unifiedlog", "channel": "Child processes of Safari, Chrome, or Firefox executing scripting interpreters" }, { "name": "macos:unifiedlog", "channel": "Execution of older or non-standard interpreters" }, { "name": "linux:osquery", "channel": "process execution events for permission modification utilities with command-line analysis" }, { "name": "macos:unifiedlog", "channel": "process execution events for chmod, chown, chflags with parameter analysis and target path examination" }, { "name": "macos:osquery", "channel": "process execution monitoring for permission modification utilities with command-line argument analysis" }, { "name": "auditd:SYSCALL", "channel": "Invocation of packet generation tools (e.g., hping3, nping) or fork bombs" }, { "name": "macos:osquery", "channel": "Execution of flooding tools or compiled packet generators" }, { "name": "esxi:hostd", "channel": "process" }, { "name": "auditd:SYSCALL", "channel": "execve for proxy tools" }, { "name": "macos:unifiedlog", "channel": "process, socket, and DNS logs" }, { "name": "macos:osquery", "channel": "process_events table" }, { "name": "macos:unifiedlog", "channel": "Command line containing `trap` or `echo 'trap` written to login shell files" }, { "name": "macos:unifiedlog", "channel": "log collect --predicate" }, { "name": "auditd:SYSCALL", "channel": "execve or nanosleep with no stdout/stderr I/O" }, { "name": "macos:unifiedlog", "channel": "launchd or osascript spawns process with delay command" }, { "name": "linux:syslog", "channel": "systemd-udevd spawning user-defined action from RUN+=" }, { "name": "ebpf:syscalls", "channel": "execve" }, { "name": "macos:unifiedlog", "channel": "process:spawn" }, { "name": "macos:unifiedlog", "channel": "log stream --predicate 'eventMessage contains \"exec\"'" }, { "name": "auditd:EXECVE", "channel": "cat|less|grep accessing .bash_history from a non-shell process" }, { "name": "auditd:EXECVE", "channel": "Process execution via .desktop Exec path from /etc/xdg/autostart or ~/.config/autostart" }, { "name": "auditd:SYSCALL", "channel": "Execution of dpkg, rpm, or other package manager with list flag" }, { "name": "macos:unifiedlog", "channel": "Execution of system_profiler or osascript invoking enumeration" }, { "name": "auditd:SYSCALL", "channel": "apache2 or nginx spawning sh, bash, or python interpreter" }, { "name": "macos:unifiedlog", "channel": "httpd spawning bash, zsh, python, or osascript" }, { "name": "macos:unifiedlog", "channel": "Execution of /usr/libexec/security_authtrampoline or child processes originating from non-trusted binaries triggering credential prompts" }, { "name": "macos:unifiedlog", "channel": "execution of security or osascript" }, { "name": "macos:unifiedlog", "channel": "launchd spawning processes tied to new or modified LaunchDaemon .plist entries" }, { "name": "macos:unifiedlog", "channel": "Execution of ping, nping, or crafted network packets via bash or python to reflection services" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of commands modifying iptables/nftables to block selective IPs" }, { "name": "macos:unifiedlog", "channel": "System process modifications altering DNS/proxy settings" }, { "name": "containerd:Events", "channel": "unusual process spawned from container image context" }, { "name": "macos:osquery", "channel": "curl, python scripts, rsync with internal share URLs" }, { "name": "macos:unifiedlog", "channel": "process: spawn, exec" }, { "name": "macos:osquery", "channel": "Rapid spawning of resource-heavy applications (e.g., Preview, Safari, Office)" }, { "name": "macos:unifiedlog", "channel": "Process creation events where command line = pmset with arguments affecting sleep, hibernatemode, displaysleep" }, { "name": "macos:unifiedlog", "channel": "Unexpected apps performing repeated DNS lookups" }, { "name": "macos:unifiedlog", "channel": "launchservices or loginwindow events" }, { "name": "auditd:SYSCALL", "channel": "execve with LD_PRELOAD or linker-related environment variables set" }, { "name": "macos:unifiedlog", "channel": "execution of process with DYLD_INSERT_LIBRARIES set" }, { "name": "macos:unifiedlog", "channel": "Suspicious Swift/Objective-C or scripting processes writing archive-like outputs" }, { "name": "auditd:SYSCALL", "channel": "execve of re-parented process" }, { "name": "linux:osquery", "channel": "Anomalous parent PID change" }, { "name": "macos:unifiedlog", "channel": "Process creation with parent PID of 1 (launchd)" }, { "name": "linux:osquery", "channel": "child process invoking dynamic linker post-ptrace" }, { "name": "macos:osquery", "channel": "Processes executing kextload, spctl, or modifying kernel extension directories" }, { "name": "macos:osquery", "channel": "Unsigned or ad-hoc signed process executions in user contexts" }, { "name": "macos:unifiedlog", "channel": "Execution of diskutil or hdiutil attaching hidden partitions" }, { "name": "macos:unifiedlog", "channel": "process execution events for discovery utilities (system_profiler, sw_vers, dscl, networksetup) with command-line parameter analysis" }, { "name": "macos:osquery", "channel": "process event monitoring with focus on discovery utilities and cryptographic framework usage correlation" }, { "name": "macos:unifiedlog", "channel": "Unexpected apps generating frequent DNS queries" }, { "name": "macos:unifiedlog", "channel": "process exec" }, { "name": "auditd:SYSCALL", "channel": "socket: Suspicious creation of AF_UNIX sockets outside expected daemons" }, { "name": "macos:unifiedlog", "channel": "Non-standard processes invoking financial applications or payment APIs" }, { "name": "auditd:SYSCALL", "channel": "execve: Agent/headless flags (listen/connect/reverse/tunnel) or remote-control binaries spawning shells" }, { "name": "auditd:SYSCALL", "channel": "systemctl enable/start: Creation/enablement of custom .service units in /etc/systemd/system" }, { "name": "macos:unifiedlog", "channel": "Process exec of remote-control apps or binaries with headless/connect flags" }, { "name": "auditd:SYSCALL", "channel": "execve: systemctl stop, service stop, or kill -9 on security daemons (e.g., falcon-sensor, auditd)" }, { "name": "macos:unifiedlog", "channel": "Execution of launchctl unload, kill, or removal of security agent daemons" }, { "name": "macos:unifiedlog", "channel": "process activity, exec events" }, { "name": "macos:unifiedlog", "channel": "log stream process subsystem" }, { "name": "macos:unifiedlog", "channel": "process:exec and kext load events" }, { "name": "macos:unifiedlog", "channel": "log stream --info --predicate 'eventMessage CONTAINS \"exec\"'" }, { "name": "WinEventLog:Microsoft-Windows-DotNETRuntime", "channel": "Unexpected AppDomain creation events or anomalous AppDomainManager assembly load behavior" }, { "name": "auditd:SYSCALL", "channel": "Execution of network stress tools or anomalies in socket/syscall behavior" }, { "name": "macos:unifiedlog", "channel": "Unsigned binary execution following SIP change" }, { "name": "auditd:SYSCALL", "channel": "execve: Commands altering firewall or enabling listeners (iptables, nft, ufw, firewall-cmd, systemctl start *ssh*/*telnet*, ip route add, tcpdump, tshark)" }, { "name": "macos:unifiedlog", "channel": "exec: Execution of /sbin/pfctl, /usr/libexec/ApplicationFirewall/socketfilterfw, ifconfig, tcpdump, npcap/libpcap consumers" }, { "name": "macos:unifiedlog", "channel": "Execution of zip, ditto, hdiutil, or openssl by non-terminal parent processes" }, { "name": "macos:unifiedlog", "channel": "Execution of binaries with TCC protected access under unexpected parent processes such as Finder.app, SystemUIServer, or nsurlsessiond" }, { "name": "WinEventLog:AppLocker", "channel": "EventCode=8003, 8004" }, { "name": "auditd:SYSCALL", "channel": "execve, unlink" }, { "name": "macos:osquery", "channel": "launchd, processes" }, { "name": "linux:osquery", "channel": "socat, ssh, or nc processes opening unexpected ports" }, { "name": "macos:unifiedlog", "channel": "process execution of ssh with -L/-R forwarding flags" }, { "name": "macos:unifiedlog", "channel": "launchd or cron spawning mining binaries" }, { "name": "auditd:SYSCALL", "channel": "execve or socket/connect system calls for processes using RSA handshake" }, { "name": "macos:unifiedlog", "channel": "Process invoking SecKeyCreateRandomKey or asymmetric crypto APIs" }, { "name": "azure:vmguest", "channel": "Unexpected execution of cloud agent processes (e.g., WindowsAzureGuestAgent.exe, ssm-agent) followed by arbitrary script or binary execution" }, { "name": "macos:unifiedlog", "channel": "Script interpreter invoked by nginx/apache worker process" }, { "name": "macos:unifiedlog", "channel": "execution of Office binaries with network activity" }, { "name": "macos:unifiedlog", "channel": "launch of bash/zsh/python/osascript targeting key file locations" }, { "name": "macos:unifiedlog", "channel": "execution of /sbin/emond with child processes launched" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "provider: ETW CreateProcess events linking msbuild.exe to suspicious children where standard logs are incomplete" }, { "name": "macos:unifiedlog", "channel": "shutdown -h now or reboot" }, { "name": "macos:unifiedlog", "channel": "Execution of Code.app, idea, JetBrainsToolbox, eclipse with install/extension flags" }, { "name": "macos:unifiedlog", "channel": "process execution events for system discovery utilities (system_profiler, sysctl, networksetup, ioreg) with parameter analysis" }, { "name": "OpenBSM:AuditTrail", "channel": "BSM audit events for process execution and system call monitoring during reconnaissance" }, { "name": "esxi:hostd", "channel": "host daemon events related to VM operations and configuration queries during reconnaissance" }, { "name": "esxi:vmkernel", "channel": "VMware kernel events for hardware and system configuration access during environmental validation" }, { "name": "linux:osquery", "channel": "processes modifying environment variables related to history logging" }, { "name": "auditd:SYSCALL", "channel": "execve: parent process is usb/hid device handler, child process bash/python invoked" }, { "name": "macos:unifiedlog", "channel": "execution of curl, rclone, or Office apps invoking network sessions" }, { "name": "macos:unifiedlog", "channel": "exec: Execution of kextstat, kextfind, or ioreg targeting driver information" }, { "name": "macos:endpointsecurity", "channel": "exec events" }, { "name": "macos:unifiedlog", "channel": "Process creation involving binaries interacting with resource fork data" }, { "name": "macos:unifiedlog", "channel": "process event" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of suspicious exploit binaries targeting security daemons" }, { "name": "macos:osquery", "channel": "execve: Unsigned or unnotarized processes launched with high privileges" }, { "name": "macos:unifiedlog", "channel": "security OR injection attempts into 1Password OR LastPass" }, { "name": "AndroidLogs:Kernel", "channel": "init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot" }, { "name": "iOS:unifiedlog", "channel": "launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock" }, { "name": "AndroidLogs:Framework", "channel": "Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/), or whose parent process originates from an app sandbox" }, { "name": "iOS:unifiedlog", "channel": "Creation of a new process with elevated UID or sensitive entitlements whose binary path is associated with an app container or whose parent/caller is a low-privileged app/webcontent process" }, { "name": "android:logcat", "channel": "dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process" }, { "name": "android:logcat", "channel": "startActivity on top of (launchMode/singleTop), task switch immediately after focus" }, { "name": "android:logcat", "channel": "unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID" }, { "name": "MobileEDR:telemetry", "channel": "Application writes audio buffer or recorded audio file into application storage directories" }, { "name": "MobileEDR:telemetry", "channel": "Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior" }, { "name": "MobileEDR:telemetry", "channel": "application installed from adb, sideload, or unknown USB source" }, { "name": "MobileEDR:telemetry", "channel": "Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation" }, { "name": "MobileEDR:telemetry", "channel": "Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor" }, { "name": "MobileEDR:telemetry", "channel": "application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "created": "2026-03-11T16:00:13.775Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0123", "external_id": "DC0123" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-15T20:49:00.264Z", "name": "Application State", "description": "Application State represents the operational status and lifecycle context of a mobile application at a given point in time. This includes whether the application is running in the foreground or background, its activity state, recent user interaction, and transitions between lifecycle states.\n\nMonitoring application state helps defenders identify suspicious behavior where an application performs sensitive actions while inactive, in the background, or without recent user interaction.\n\nApplication state is particularly useful when detecting malicious activity that occurs outside normal user-driven workflows.\n\nExamples\nAndroid\n\n- Application transitions from foreground to background\n- Application running as a background service\n- Application started via broadcast receiver\n- Application launched automatically after device boot\n\niOS\n\n- Application entering active, inactive, or background state\n- Background task execution\n- Background fetch activity\n- Application wake events triggered by push notifications or system services\n\nData Collection Measures\n- Mobile EDR / MTD runtime monitoring\n- OS lifecycle event telemetry\n- Application runtime instrumentation\n- Mobile security platform behavioral monitoring\n", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "MobileEDR:telemetry", "channel": "pplication or service remains active, foregrounds, or overlays during device locked state or immediately at unlock transition with weak recent user interaction context" }, { "name": "MobileEDR:telemetry", "channel": "Application wakes, becomes active, refreshes, or foregrounds immediately after locked or inactive state transition with weak recent user interaction" }, { "name": "MobileEDR:telemetry", "channel": "Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state" }, { "name": "MobileEDR:telemetry", "channel": "Application runs in foreground, service, or sustained background-active state while concentrated file transformation occurs with weak or no recent user interaction" }, { "name": "MobileEDR:telemetry", "channel": "Updated or newly delivered application becomes active, launches background services, or executes shortly after install/update with minimal user interaction inconsistent with baseline" }, { "name": "MobileEDR:telemetry", "channel": "Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction" }, { "name": "android:MDMLog", "channel": "Newly installed or updated application launches background service, becomes active without recent user interaction, or executes immediately after update in a pattern inconsistent with baseline" }, { "name": "MobileEDR:telemetry", "channel": "Protected resource use or privileged framework access occurs while device is locked, before normal setup completion, or from an app/service not in foreground and not on approved preload list" }, { "name": "MobileEDR:telemetry", "channel": "Managed app or device-originated network activity occurs while the device is locked or before expected managed app initialization sequence, inconsistent with expected background refresh baseline" }, { "name": "MobileEDR:telemetry", "channel": "Recently installed or updated trusted app begins background execution, persistent service activity, overlay-like behavior, or lock-state activity inconsistent with its historical baseline or expected first-run sequence" }, { "name": "MobileEDR:telemetry", "channel": "Recently installed or updated managed app begins background activity, persistent refresh, or lock-state-adjacent activity inconsistent with expected first-run behavior, user interaction timing, or historical baseline" }, { "name": "MobileEDR:telemetry", "channel": "App communicating with external web service is backgrounded, persistent, recently awakened, or active while device is locked or without recent user interaction in a way inconsistent with expected app behavior" }, { "name": "MobileEDR:telemetry", "channel": "Managed app shows background activity, refresh, or lock-state-adjacent execution temporally aligned to web-service communication without expected foreground use or recent user interaction" }, { "name": "MobileEDR:telemetry", "channel": "AppState=background or foreground_service active when resolver retrieval request occurred and pivot connection followed without foreground transition" }, { "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before resolver retrieval and subsequent pivot connection sequence" }, { "name": "MobileEDR:telemetry", "channel": "DeviceLockState=locked or BackgroundRefresh active during resolver\u2192pivot sequence" }, { "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before resolver request and pivot connection sequence" }, { "name": "MobileEDR:telemetry", "channel": "AppState=background when bidirectional exchange with public web-service domain began and no foreground transition occurred between retrieval and outbound write" }, { "name": "MobileEDR:telemetry", "channel": "DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform" }, { "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity" }, { "name": "MobileEDR:telemetry", "channel": "BackgroundRefresh or background activity was active when retrieve-then-write exchange with public web-service domain occurred" }, { "name": "MobileEDR:telemetry", "channel": "AppState=background when repeated retrieval from public web-service domain began and no foreground transition occurred during the retrieval sequence" }, { "name": "MobileEDR:telemetry", "channel": "DeviceLockState=locked during repeated inbound retrieval sequence from public web-service platform" }, { "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before repeated retrieval sequence from public web-service domain from same app identity" }, { "name": "MobileEDR:telemetry", "channel": "AppState=background when non-standard-port session began and no foreground transition occurred during repeated or persistent connection sequence" }, { "name": "MobileEDR:telemetry", "channel": "DeviceLockState=locked during outbound session using non-standard protocol-to-port pairing" }, { "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing" }, { "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before camera session start and no foreground transition occurred during sustained capture interval" }, { "name": "MobileEDR:telemetry", "channel": "Background activity, low-interaction device state, or DeviceLockState=locked was observed during sustained camera session or immediately before camera access from same bundle context" }, { "name": "MobileEDR:telemetry", "channel": "Capturing app remained backgrounded or foreground-service-only while screen capture session occurred and another app was foregrounded during capture interval" }, { "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before screen capture session start and no expected foreground transition or consent-linked interaction occurred during capture interval" }, { "name": "MobileEDR:telemetry", "channel": "Sensitive app category remained foregrounded during screen capture session from different app identity" }, { "name": "MobileEDR:telemetry", "channel": "Injecting app remained backgrounded or foreground-service-only while injected click, global action, or text insertion occurred in a different foreground app" }, { "name": "MobileEDR:telemetry", "channel": "LastUserInteractionDelta exceeded threshold before injected UI action and no matching touch interaction was observed for the target foreground app during injection sequence" }, { "name": "MobileEDR:telemetry", "channel": "Sensitive app category remained foregrounded during injected UI sequence from different app identity" }, { "name": "MobileEDR:telemetry", "channel": "Notification access event occurs while app_state=background AND device_state=locked OR no recent user interaction" }, { "name": "MobileEDR:telemetry", "channel": "Crypto + data staging occurs while app_state=background OR device_locked=true OR no recent user interaction" }, { "name": "MobileEDR:telemetry", "channel": "Asymmetric crypto operations occur while app_state=background OR device_locked=true OR no recent user interaction" }, { "name": "MobileEDR:telemetry", "channel": "TLS trust customization and outbound HTTPS session occur while app_state=background or device_locked=true or recent_user_interaction=false" }, { "name": "MobileEDR:telemetry", "channel": "Managed app initiates or resumes network-capable execution while app_state=background or device_locked=true before opaque TLS session attempt" }, { "name": "MobileEDR:telemetry", "channel": "Managed app enters background-capable execution or resumes processing immediately before archive-like file creation or upload behavior" }, { "name": "MobileEDR:telemetry", "channel": "Persistent foreground-service notification is created, updated, or remains visible while app behavior or notification identity is inconsistent with declared function during the persistence interval" }, { "name": "MobileEDR:telemetry", "channel": "Ingress transfer and local file creation occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase" }, { "name": "MobileEDR:telemetry", "channel": "Ingress retrieval and staging occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase" }, { "name": "MobileEDR:telemetry", "channel": "Native library load or JNI-backed execution occurs while app_state=background or device_locked=true or recent_user_interaction=false during the execution phase" }, { "name": "MobileEDR:telemetry", "channel": "Modified or newly replaced application begins execution or persists while recent_user_interaction=false or device_locked=true or launch context is inconsistent with expected user-driven update flow" }, { "name": "MobileEDR:telemetry", "channel": "System event occurs (e.g., SMS received, device boot completed, network state changed) acting as trigger event for execution phase" }, { "name": "MobileEDR:telemetry", "channel": "application remains inactive across normal execution windows and transitions into background or foreground activity burst only when qualifying device context, lock state, locale, or network condition exists" }, { "name": "MobileEDR:telemetry", "channel": "application remains dormant, low-activity, or background-resident across non-qualifying locations and transitions into active execution only after geographic condition is met" }, { "name": "MobileEDR:telemetry", "channel": "application reduces or halts operational activity during periods of active user interaction and resumes background execution or periodic work only during low-motion or idle intervals" }, { "name": "MobileEDR:telemetry", "channel": "ecurity or monitoring application transitions to disabled, inactive, or non-reporting state while other applications remain active" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "created": "2023-03-13T20:48:14.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0118", "external_id": "DC0118" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-08T20:14:04.248Z", "name": "System Settings", "description": "System Settings represent user-visible or OS-level configuration settings that influence device behavior, application permissions, connectivity, or system features.\n\nMonitoring system settings changes allows defenders to detect abnormal modifications that may indicate malicious activity or device compromise.\n\n\nCollection Methods\n\n- MDM device telemetry\n- Mobile EDR monitoring\n- OS configuration monitoring\n", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "User Interface", "channel": "None" }, { "name": "MobileEDR:telemetry", "channel": "Microphone sensor activation or audio recording session initiated by application process" }, { "name": "MobileEDR:telemetry", "channel": "Application transitions to background or executes while screen locked during microphone session" }, { "name": "MobileEDR:telemetry", "channel": "Cellular service state transitions (in-service\u2192no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry" }, { "name": "MobileEDR:telemetry", "channel": "Application remains backgrounded while accessibility service continues to receive events or perform actions across other foreground apps" }, { "name": "android:MDMLog", "channel": "device USB mode change (charging to file transfer / debugging / accessory)" }, { "name": "iOS:MDMLog", "channel": "Trusted computer / host relationship established or relevant device trust setting changed" }, { "name": "android:MDMLog", "channel": "Application or service remains active, foregrounds, or overlays during device locked state or immediately at unlock transition with weak recent user interaction context" }, { "name": "android:MDMLog", "channel": "No user-initiated airplane mode, radio disablement, or managed network setting change occurred during repeated connectivity degradation" }, { "name": "iOS:MDMLog", "channel": "No user-initiated airplane mode or radio-related setting change occurred while applications experience repeated network unavailability" }, { "name": "MobileEDR:telemetry", "channel": "Camera sensor access began from app identity and remained active for sustained capture interval in app context not mapped to approved video recording workflow" }, { "name": "MobileEDR:telemetry", "channel": "Camera sensor access occurred while AppState=background, foreground service active without visible user action, or DeviceLockState=locked during capture interval" }, { "name": "MobileEDR:telemetry", "channel": "Foreground service continues accessing camera, microphone, location, or other while-in-use sensors after service promotion and outside recent user interaction" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "created": "2023-03-13T19:59:14.491Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0112", "external_id": "DC0112" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-16T16:18:01.897Z", "name": "API Calls", "description": "API calls utilized by an application that could indicate malicious activity", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Application Vetting", "channel": "None" }, { "name": "iOS:unifiedlog", "channel": "Repeated sandbox or policy violations by a single process or app bundle (for example, deny rules) followed by successful access to resources or APIs that normally require higher privileges" }, { "name": "iOS:unifiedlog", "channel": "mmap with PROT_EXEC and PROT_WRITE by sandboxed app" }, { "name": "android:logcat", "channel": "SELinux AVC related to execute_no_trans/execmem after decode/unpack activity by the same app UID" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa", "created": "2024-03-29T14:59:30.164Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0119", "external_id": "DC0119" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-11T15:49:22.334Z", "name": "Application Assets", "description": "Application Assets represent static or packaged resources bundled with an application that may contain executable logic, configuration data, or hidden payloads.\n\nThese assets may include embedded binaries, scripts, configuration files, libraries, or other resources stored within the application package. Adversaries may hide malicious components within application assets to evade detection during installation or initial inspection.\n\nExamples\n\nAndroid:\n\n- Embedded .dex files loaded dynamically\n- Hidden native libraries in APK assets\n- Dropped payloads stored within the app sandbox\n\niOS:\n\n- Embedded frameworks\n- Configuration files within the application bundle\n- Hidden scripts or secondary binaries packaged with the app\n\nCollection Methods\n- Mobile EDR application inspection\n- Static application analysis\n- Application package scanning during install or sideload events\n", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Application Vetting", "channel": "None" }, { "name": "iOS:unifiedlog", "channel": "Application gaining or using unexpected background execution entitlements or modes" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0033", "external_id": "DC0033" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-11-12T22:03:39.105Z", "name": "Process Termination", "description": "The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "mobile-attack", "enterprise-attack" ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Process", "channel": "None" }, { "name": "WinEventLog:Sysmon", "channel": "EventCode=5" }, { "name": "linux:syslog", "channel": "Unexpected termination of daemons or critical services not aligned with admin change tickets" }, { "name": "macos:osquery", "channel": "process_termination: Unexpected termination of processes tied to vulnerable or high-value services" }, { "name": "esxi:hostd", "channel": "Log entries indicating VM powered off or forcibly terminated" }, { "name": "macos:unifiedlog", "channel": "Terminal process killed (killall Terminal) immediately after sudoers modification" }, { "name": "auditd:SYSCALL", "channel": "exit_group" }, { "name": "macos:unifiedlog", "channel": "process.*exit.*code" }, { "name": "linux:osquery", "channel": "unexpected termination of syslog or rsyslog processes" }, { "name": "auditd:SYSCALL", "channel": "Process segfault or abnormal termination after invoking vulnerable syscall sequence" }, { "name": "auditd:SYSCALL", "channel": "kill syscalls targeting logging/security processes" }, { "name": "macos:unifiedlog", "channel": "Termination of syspolicyd or XProtect processes" }, { "name": "docker:runtime", "channel": "Termination of monitoring sidecar or security container" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0059", "external_id": "DC0059" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T18:33:47.956Z", "name": "File Metadata", "description": "contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: \n\n- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on Windows.\n- Timestamps: Analyzing the creation, modification, and access timestamps of a file.\n- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.\n- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.\n- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.\n- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "enterprise-attack", "mobile-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "auditd:SYSCALL", "channel": "stat and lstat syscall results on files, including inode and permission info" }, { "name": "AndroidLogs:Framework", "channel": "BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps" }, { "name": "auditd:CONFIG_CHANGE", "channel": "chmod or chown of hook files indicating privilege escalation or execution permission change" }, { "name": "auditd:PATH", "channel": "file path matches exclusion directories" }, { "name": "auditd:PATH", "channel": "PATH" }, { "name": "auditd:PATH", "channel": "file path modifications on critical system directories (/etc, /usr/bin, /usr/sbin, /var, /opt)" }, { "name": "auditd:SYSCALL", "channel": "Inotify watch creation or auditctl changes on /etc/cron* or /lib/systemd/system/" }, { "name": "auditd:SYSCALL", "channel": "PATH" }, { "name": "auditd:SYSCALL", "channel": "file write after sleep delay" }, { "name": "auditd:SYSCALL", "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, setxattr, lsetxattr, fsetxattr)" }, { "name": "auditd:SYSCALL", "channel": "setuid or setgid bit changes" }, { "name": "auditd:SYSCALL", "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, lchown, setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr, fremovexattr)" }, { "name": "auditd:SYSCALL", "channel": "setxattr or getxattr system call" }, { "name": "auditd:SYSCALL", "channel": "chmod, chown, setxattr, or file writes to /etc/ssl/* or /usr/local/share/ca-certificates/*" }, { "name": "ebpf:syscalls", "channel": "Unexpected container volume unmount + file deletion" }, { "name": "EDR:detection", "channel": "App reputation telemetry" }, { "name": "EDR:file", "channel": "File Metadata Inspection (Low String Entropy, Missing PDB)" }, { "name": "EDR:file", "channel": "File Metadata Analysis (PE overlays, entropy)" }, { "name": "esxi:hostd", "channel": "host daemon events related to file or VM permission changes" }, { "name": "esxi:syslog", "channel": "Datastore file hidden or renamed unexpectedly" }, { "name": "esxi:vmkernel", "channel": "Upload of file to datastore" }, { "name": "esxi:vmkernel", "channel": "Storage access and file ops" }, { "name": "esxi:vmkernel", "channel": "VMware kernel events for file system permission modifications" }, { "name": "esxi:vmkernel", "channel": "Datastore modification events" }, { "name": "File", "channel": "None" }, { "name": "fs:fileevents", "channel": "/var/log/install.log" }, { "name": "fs:filesystem", "channel": "Binary file hash changes outside of update/patch cycles" }, { "name": "fs:fsevents", "channel": "file system events indicating permission or attribute changes" }, { "name": "fs:fsusage", "channel": "filesystem monitoring of exec/open" }, { "name": "fwupd:logs", "channel": "Firmware updates applied or failed" }, { "name": "gatekeeper/quarantine database", "channel": "LaunchServices quarantine" }, { "name": "journald:package", "channel": "dpkg/apt or yum/dnf transaction logs (install/update of build tools)" }, { "name": "journald:package", "channel": "dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals" }, { "name": "journald:package", "channel": "dpkg/apt install, remove, upgrade events" }, { "name": "journald:package", "channel": "yum/dnf install or update transactions" }, { "name": "linux:osquery", "channel": "event-based" }, { "name": "linux:osquery", "channel": "file_events, hash" }, { "name": "linux:osquery", "channel": "hash, elf_info, file_metadata" }, { "name": "linux:osquery", "channel": "file_events" }, { "name": "linux:osquery", "channel": "elf_info, hash, yara_matches" }, { "name": "linux:osquery", "channel": "Read headers and detect MIME type mismatch" }, { "name": "linux:osquery", "channel": "file_events.path" }, { "name": "linux:osquery", "channel": "Filesystem modifications to trusted paths" }, { "name": "linux:osquery", "channel": "Write or modify .desktop file in XDG autostart path" }, { "name": "linux:osquery", "channel": "hash, rpm_packages, deb_packages, file_events" }, { "name": "linux:syslog", "channel": "Discrepancies in _VBA_PROJECT p-code vs source code extracted with oletools/pcodedmp" }, { "name": "linux:syslog", "channel": "application or system execution logs" }, { "name": "linux:syslog", "channel": "file permission modification events in kernel messages" }, { "name": "linux:syslog", "channel": "kernel messages related to file system permission changes and security violations" }, { "name": "macos:endpointsecurity", "channel": "es_event_file_rename_t or es_event_file_write_t" }, { "name": "macos:endpointsecurity", "channel": "es_event_authentication" }, { "name": "macos:osquery", "channel": "code_signing, file_metadata" }, { "name": "macos:osquery", "channel": "file_events" }, { "name": "macos:osquery", "channel": "mach_o_info, file_metadata" }, { "name": "macos:unifiedlog", "channel": "softwareupdated/homebrew/install logs, pkginstalld events" }, { "name": "macos:unifiedlog", "channel": "AMFI or Gatekeeper signature/notarization failures for newly installed dev components" }, { "name": "macos:unifiedlog", "channel": "Detection of altered _VBA_PROJECT or PerformanceCache streams" }, { "name": "macos:unifiedlog", "channel": "subsystem:syspolicyd" }, { "name": "macos:unifiedlog", "channel": "File metadata updated with UF_HIDDEN flag" }, { "name": "macos:unifiedlog", "channel": "Code signature validation fails or is absent post-binary modification" }, { "name": "macos:unifiedlog", "channel": "Code signing verification failures or bypassed trust decisions" }, { "name": "macos:unifiedlog", "channel": "Creation of new LaunchAgent or LoginItem plist files in ~/Library/LaunchAgents/" }, { "name": "macos:unifiedlog", "channel": "filesystem events" }, { "name": "macos:unifiedlog", "channel": "xattr -d com.apple.quarantine or similar attribute removal commands" }, { "name": "macos:unifiedlog", "channel": "Gatekeeper quarantine policy decision anomalies recorded in com.apple.LaunchServices.QuarantineEventsV2" }, { "name": "macos:unifiedlog", "channel": "pkginstalld/softwareupdated/Homebrew install transactions" }, { "name": "macos:unifiedlog", "channel": "AMFI/Gatekeeper code signature or notarization failures" }, { "name": "macos:unifiedlog", "channel": "kernel extension and system extension logs related to file system security violations or SIP bypass attempts" }, { "name": "macos:unifiedlog", "channel": "Unexpected application binary modifications or altered signing status" }, { "name": "macos:unifiedlog", "channel": "extended attribute write or modification" }, { "name": "macos:unifiedlog", "channel": "New certificate trust settings added by unexpected process" }, { "name": "macos:unifiedlog", "channel": "subsystem=com.apple.lsd" }, { "name": "macos:unifiedlog", "channel": "installer or system_installd 'PackageKit: install succeeded/failed' with non-notarized or unknown signer" }, { "name": "macos:unifiedlog", "channel": "Gatekeeper/AMFI 'code signature invalid' / 'not notarized' messages" }, { "name": "macos:unifiedlog", "channel": "File creation or modification with com.apple.ResourceFork extended attribute" }, { "name": "networkdevice:syslog", "channel": "OS version query results inconsistent with expected or approved version list" }, { "name": "NSM:Flow", "channel": "Observed File Transfers" }, { "name": "OpenBSM:AuditTrail", "channel": "BSM audit events for file permission modifications" }, { "name": "OpenBSM:AuditTrail", "channel": "BSM audit events for file permission, ownership, and attribute modifications with user context" }, { "name": "saas:RepoEvents", "channel": "New file added or modified in PR targeting CI/CD or build config (e.g., `gitlab-ci.yml`, `build.gradle`, `pom.xml`, `.github/workflows/*.yml`)" }, { "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", "channel": "Invalid/Unsigned image when developer tool launches newly installed binaries" }, { "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", "channel": "Unsigned or invalid image for newly installed/updated binaries" }, { "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", "channel": "Code integrity violations in boot-start drivers or firmware" }, { "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", "channel": "CodeIntegrity reports 'Invalid image hash' or 'Unsigned image' for new/updated binaries" }, { "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", "channel": "SmartScreen or ASR blocks on newly downloaded installer/updater" }, { "name": "WinEventLog:Security", "channel": "EventCode=4663, 4670, 4656" }, { "name": "WinEventLog:Security", "channel": "EventCode=4663, 4656, 4658" }, { "name": "WinEventLog:Setup", "channel": "MSI/Product install, repair or update events" }, { "name": "WinEventLog:Sysmon", "channel": "EventCode=15" }, { "name": "WinEventLog:Windows Defender", "channel": "Operational log" }, { "name": "WinEventLog:Windows Defender", "channel": "Operational" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0064", "external_id": "DC0064" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T19:47:16.123Z", "name": "Command Execution", "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n - dir \u2013 Lists directory contents.\n - net user \u2013 Queries or manipulates user accounts.\n - tasklist \u2013 Lists running processes.\n- PowerShell\n - Get-Process \u2013 Retrieves processes running on a system.\n - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n - ls \u2013 Lists files in a directory.\n - cat /etc/passwd \u2013 Reads the user accounts file.\n - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n - docker exec \u2013 Executes a command inside a running container.\n - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n - open \u2013 Opens files or URLs.\n - dscl . -list /Users \u2013 Lists all users on the system.\n - osascript -e \u2013 Executes AppleScript commands.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "mobile-attack", "enterprise-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "android:logcat", "channel": "Command 'pm list packages' executed by app sandbox or child proc" }, { "name": "auditd:CONFIG_CHANGE", "channel": "udev rule reload or trigger command executed" }, { "name": "auditd:EXECVE", "channel": "execve of script/interpreter (bash, python, node) with suspicious encoded or non-printable content" }, { "name": "auditd:EXECVE", "channel": "Use of mv or cp to rename files with '.' prefix" }, { "name": "auditd:EXECVE", "channel": "execve: Execution of update-ca-certificates or trust anchor modification commands" }, { "name": "auditd:EXECVE", "channel": "gcore, gdb, strings, hexdump execution" }, { "name": "auditd:EXECVE", "channel": "Execution of auditctl, systemctl stop auditd, or kill -9 auditd" }, { "name": "auditd:EXECVE", "channel": "execution of systemctl with subcommands start, stop, enable, disable" }, { "name": "auditd:EXECVE", "channel": "Execution of GUI-related binaries with suppressed window/display flags" }, { "name": "auditd:EXECVE", "channel": "curl -X POST, wget --post-data" }, { "name": "auditd:EXECVE", "channel": "command line arguments containing lsblk, fdisk, parted" }, { "name": "auditd:EXECVE", "channel": "exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions" }, { "name": "auditd:EXECVE", "channel": "curl -d, wget --post-data" }, { "name": "auditd:EXECVE", "channel": "grep/cat/awk on files with password fields" }, { "name": "auditd:EXECVE", "channel": "git push, curl -X POST" }, { "name": "auditd:EXECVE", "channel": "Execution of gsettings set org.gnome.login-screen disable-user-list true" }, { "name": "auditd:EXECVE", "channel": "execution of setfattr or getfattr commands" }, { "name": "auditd:EXECVE", "channel": "Process execution of update-ca-certificates or openssl with suspicious arguments" }, { "name": "auditd:EXECVE", "channel": "Execution of chattr to set +i or +a attributes" }, { "name": "auditd:EXECVE", "channel": "curl or wget with POST/PUT options" }, { "name": "auditd:EXECVE", "channel": "curl -T, rclone copy" }, { "name": "auditd:EXECVE", "channel": "execve of curl,wget,bash,sh,python with piped or remote content" }, { "name": "auditd:EXECVE", "channel": "execve, kill, ptrace, insmod, rmmod targeting security processes" }, { "name": "auditd:PROCTITLE", "channel": "proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters" }, { "name": "auditd:PROCTITLE", "channel": "proctitle contains chmod, chown, chgrp, setfacl, or attr with suspicious parameters (777, 755, +x, -R)" }, { "name": "auditd:PROCTITLE", "channel": "process title records containing discovery command sequences and environmental assessment patterns" }, { "name": "auditd:PROCTITLE", "channel": "command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)" }, { "name": "auditd:SYSCALL", "channel": "execution of realmd, samba-tool, or ldapmodify with user-related arguments" }, { "name": "auditd:SYSCALL", "channel": "Execution of script interpreters by systemd timer (ExecStart)" }, { "name": "auditd:SYSCALL", "channel": "execve: Commands like systemctl stop , service stop, or kill -9 " }, { "name": "auditd:SYSCALL", "channel": "execve calls to locale, timedatectl, or cat /etc/timezone" }, { "name": "auditd:SYSCALL", "channel": "sleep function usage or loops (nanosleep, usleep) in scripts" }, { "name": "auditd:SYSCALL", "channel": "connect, execve, write" }, { "name": "auditd:SYSCALL", "channel": "execve call including 'nohup' or trailing '&'" }, { "name": "auditd:SYSCALL", "channel": "None" }, { "name": "auditd:SYSCALL", "channel": "execve: Commands executed within an SSH session where no matching logon/authentication event exists" }, { "name": "auditd:SYSCALL", "channel": "chmod, execve" }, { "name": "auditd:SYSCALL", "channel": "execve: iptables, nft, firewall-cmd modifications" }, { "name": "auditd:SYSCALL", "channel": "execve: Invocation of scp, rsync, curl, or sftp" }, { "name": "auditd:SYSCALL", "channel": "execve calls modifying local mail filter configuration files" }, { "name": "auditd:SYSCALL", "channel": "execve: process_name IN (\"virsh\", \"VBoxManage\", \"qemu-img\") AND command IN (\"list\", \"info\")" }, { "name": "auditd:SYSCALL", "channel": "execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog" }, { "name": "auditd:SYSCALL", "channel": "execve: openssl pkcs12, certutil, keytool" }, { "name": "auditd:SYSCALL", "channel": "execve: Process in container namespace executes curl|wget|bash|sh|python|nc with outbound args" }, { "name": "auditd:SYSCALL", "channel": "execution of systemctl or service with enable/start parameters" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of cat, less, grep, journalctl targeting log directories (/var/log/)" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of python, perl, or custom binaries invoking compression libraries" }, { "name": "auditd:SYSCALL", "channel": "execve, USER_CMD" }, { "name": "auditd:SYSCALL", "channel": "bash/zsh of base64, tar, gzip, or openssl immediately after file write" }, { "name": "auditd:SYSCALL", "channel": "execve: Processes executing sendmail/postfix with forged headers" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of tar, gzip, bzip2, xz, zip, or openssl with compression/encryption arguments" }, { "name": "auditd:SYSCALL", "channel": "promiscuous mode transitions (ioctl or ifconfig)" }, { "name": "auditd:SYSCALL", "channel": "chattr, rm, shred, dd run on recovery directories or partitions" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of downgraded interpreters such as python2 or forced fallback commands" }, { "name": "auditd:SYSCALL", "channel": "Command line arguments including SPApplicationsDataType" }, { "name": "auditd:SYSCALL", "channel": "Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports" }, { "name": "auditd:SYSCALL", "channel": "execution of tools like cat, grep, or awk on credential files" }, { "name": "auditd:SYSCALL", "channel": "execve of curl, rsync, wget with internal knowledge base or IPs" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of systemctl, loginctl, or systemd-inhibit commands related to sleep/hibernate" }, { "name": "auditd:SYSCALL", "channel": "Execution of xev, xdotool, or input activity emulators" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of interpreters creating archive-like outputs without calling tar/gzip" }, { "name": "auditd:SYSCALL", "channel": "Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes" }, { "name": "auditd:SYSCALL", "channel": "execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of curl, wget, or custom scripts accessing financial endpoints" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of tar, gzip, bzip2, or openssl with output redirection" }, { "name": "auditd:SYSCALL", "channel": "execve=/sbin/shutdown or /sbin/reboot" }, { "name": "auditd:SYSCALL", "channel": "execve calls modifying HISTFILE or HISTCONTROL via unset/export" }, { "name": "auditd:SYSCALL", "channel": "execve calls to /usr/bin/locale or shell execution of $LANG" }, { "name": "auditd:SYSCALL", "channel": "execution of systemctl or service with enable/start/modify" }, { "name": "auditd:SYSCALL", "channel": "execve: Execution of lsmod, modinfo, or cat /proc/modules" }, { "name": "auditd:USER_CMD", "channel": "USER_CMD" }, { "name": "AWS:CloudTrail", "channel": "InvokeFunction" }, { "name": "AWS:CloudTrail", "channel": "eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand" }, { "name": "AWS:CloudTrail", "channel": "SSM RunCommand" }, { "name": "AWS:CloudTrail", "channel": "GetLogEvents: High frequency log exports from CloudWatch or equivalent services" }, { "name": "AWS:CloudTrail", "channel": "command-line execution invoking credential enumeration" }, { "name": "AWS:CloudTrail", "channel": "ssm:GetCommandInvocation" }, { "name": "AWS:CloudTrail", "channel": "SendCommand, StartSession, ExecuteCommand: Unexpected AWS Systems Manager command execution targeting EC2 instances" }, { "name": "azure:activity", "channel": "Intune PowerShell Scripts" }, { "name": "azure:signinlogs", "channel": "OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain" }, { "name": "Command", "channel": "None" }, { "name": "docker:api", "channel": "docker logs access or container inspect commands from non-administrative users" }, { "name": "docker:daemon", "channel": "docker exec or docker run with unexpected command/entrypoint" }, { "name": "docker:events", "channel": "container exec rm|container stop --force" }, { "name": "ebpf:syscalls", "channel": "useradd or /etc/passwd modified inside container" }, { "name": "EDR:AMSI", "channel": "None" }, { "name": "EDR:cli", "channel": "Command Line Telemetry" }, { "name": "esxi:hostd", "channel": "command execution" }, { "name": "esxi:hostd", "channel": "/var/log/hostd.log" }, { "name": "esxi:hostd", "channel": "modification of config files or shell command execution" }, { "name": "esxi:hostd", "channel": "shell access or job registration" }, { "name": "esxi:hostd", "channel": "logline inspection" }, { "name": "esxi:hostd", "channel": "esxcli network firewall set commands" }, { "name": "esxi:hostd", "channel": "event stream" }, { "name": "esxi:hostd", "channel": "scp/ssh used to move file across hosts" }, { "name": "esxi:hostd", "channel": "None" }, { "name": "esxi:hostd", "channel": "esxcli system syslog config set or reload" }, { "name": "esxi:hostd", "channel": "command log" }, { "name": "esxi:hostd", "channel": "Execution of '/bin/vmx' or modifications to '/etc/rc.local.d/local.sh'" }, { "name": "esxi:hostd", "channel": "Command Execution" }, { "name": "esxi:hostd", "channel": "remote CLI + vim-cmd logging" }, { "name": "esxi:hostd", "channel": "execution + payload hints" }, { "name": "esxi:shell", "channel": "esxcli system syslog config set/reload, services.sh restart/stop" }, { "name": "esxi:shell", "channel": "snapshot create/copy, esxcli" }, { "name": "esxi:shell", "channel": "interactive shell" }, { "name": "esxi:shell", "channel": "/var/log/shell.log" }, { "name": "esxi:shell", "channel": "invoked remote scripts (esxcli)" }, { "name": "esxi:shell", "channel": "base64 or gzip use within shell session" }, { "name": "esxi:shell", "channel": "scripts or binaries with misleading names" }, { "name": "esxi:shell", "channel": "/var/log/shell.log entries containing \"esxcli system clock get\"" }, { "name": "esxi:shell", "channel": "None" }, { "name": "esxi:shell", "channel": "command IN (\"esxcli vm process list\", \"vim-cmd vmsvc/getallvms\")" }, { "name": "esxi:shell", "channel": "openssl|tar|dd" }, { "name": "esxi:shell", "channel": "Execution of cat, tail, grep targeting /var/log/vmkernel.log or /var/log/hostd.log" }, { "name": "esxi:shell", "channel": "CLI usage logs" }, { "name": "esxi:shell", "channel": "Command execution trace" }, { "name": "esxi:shell", "channel": "shell command execution for chmod, chown, or file permission modification on VMFS or system files" }, { "name": "esxi:shell", "channel": "esxcli system syslog config set --loghost='' or stopping hostd service" }, { "name": "esxi:shell", "channel": "Shell Access/Command Execution" }, { "name": "esxi:shell", "channel": "esxcli software vib list" }, { "name": "esxi:shell", "channel": "/root/.ash_history" }, { "name": "esxi:shell", "channel": "mv, rename, or chmod commands moving VM files into hidden directories" }, { "name": "esxi:shell", "channel": "`esxcli software vib install` with `--force` or `--no-sig-check` from shell history or `shell.log`" }, { "name": "esxi:shell", "channel": "CLI session activity" }, { "name": "esxi:shell", "channel": "esxcli system shutdown or reboot invoked" }, { "name": "esxi:shell", "channel": "shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration" }, { "name": "esxi:shell", "channel": "unset HISTFILE or HISTFILESIZE modifications" }, { "name": "esxi:syslog", "channel": "boot logs" }, { "name": "esxi:vmkernel", "channel": "/var/log/vmkernel.log" }, { "name": "esxi:vmkernel", "channel": "DCUI shell start, BusyBox activity" }, { "name": "esxi:vmkernel", "channel": "esxcli system account add" }, { "name": "esxi:vmkernel", "channel": "Unexpected restarts of management agents or shell access" }, { "name": "esxi:vmkernel", "channel": "esxcli, vim-cmd invocation" }, { "name": "esxi:vobd", "channel": "shell session start" }, { "name": "esxi:vpxd", "channel": "vCenter Management" }, { "name": "fs:fsusage", "channel": "file system activity monitor" }, { "name": "fs:fsusage", "channel": "access to BPF devices or interface IOCTLs" }, { "name": "gcp:audit", "channel": "None" }, { "name": "gcp:audit", "channel": "methodName: setIamPolicy, startInstance, createServiceAccount" }, { "name": "kubernetes:audit", "channel": "Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)" }, { "name": "kubernetes:audit", "channel": "process execution involving curl, grep, or awk on secrets" }, { "name": "linus:syslog", "channel": "None" }, { "name": "linux:cli", "channel": "command logging" }, { "name": "linux:cli", "channel": "Shell history logs" }, { "name": "linux:cli", "channel": "Terminal Command History" }, { "name": "linux:cli", "channel": "/home/*/.bash_history" }, { "name": "linux:osquery", "channel": "Command-line includes base64 -d or openssl enc -d" }, { "name": "linux:osquery", "channel": "process_events.command_line" }, { "name": "linux:shell", "channel": "Manual invocation of software enumeration commands via interactive shell" }, { "name": "linux:syslog", "channel": "cron activity" }, { "name": "linux:syslog", "channel": "Suspicious script or command execution targeting browser folders" }, { "name": "linux:syslog", "channel": "Unusual outbound transfers from CLI tools like base64, gzip, or netcat" }, { "name": "linux:syslog", "channel": "sudo chage|grep pam_pwquality|cat /etc/login.defs" }, { "name": "linux:syslog", "channel": "sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user" }, { "name": "linux:syslog", "channel": "sshd logs" }, { "name": "linux:syslog", "channel": "CLI access to 'show running-config', 'show password', or 'cat config.txt'" }, { "name": "linux:syslog", "channel": "Sudo or root escalation followed by filesystem mount commands" }, { "name": "linuxsyslog", "channel": "nslcd or winbind logs" }, { "name": "m365:defender", "channel": "Activity Log: Command Invocation" }, { "name": "m365:exchange", "channel": "Cmdlet: Get-GlobalAddressList, Get-Recipient" }, { "name": "m365:exchange", "channel": "Get-RoleGroup, Get-DistributionGroup" }, { "name": "m365:messagetrace", "channel": "Inbound email triggers execution of mailbox-stored custom form" }, { "name": "m365:messagetrace", "channel": "Inbound email matches crafted rule trigger pattern tied to persistence logic" }, { "name": "m365:messagetrace", "channel": "Inbound email triggering Outlook to auto-access folder tied to malicious Home Page" }, { "name": "m365:office", "channel": "Startup execution includes non-default component" }, { "name": "m365:office", "channel": "Execution of unsigned macro from template" }, { "name": "m365:unified", "channel": "Automated forwarding or file sync initiated by a logic app" }, { "name": "m365:unified", "channel": "Search-Mailbox, Get-MessageTrace, eDiscovery requests" }, { "name": "m365:unified", "channel": "Set-Mailbox, New-InboxRule" }, { "name": "m365:unified", "channel": "Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation" }, { "name": "macos:osquery", "channel": "Interpreter exec with suspicious arguments as above" }, { "name": "macos:osquery", "channel": "launchd + process_events" }, { "name": "macos:syslog", "channel": "system.log" }, { "name": "macos:syslog", "channel": "/var/log/system.log" }, { "name": "macos:unifiedlog", "channel": "dsconfigad or dscl with create or append options for AD-bound users" }, { "name": "macos:unifiedlog", "channel": "launchctl unload, kill, or pkill commands affecting daemons or background services" }, { "name": "macos:unifiedlog", "channel": "execution of security-agent detection or enumeration commands" }, { "name": "macos:unifiedlog", "channel": "log stream --predicate" }, { "name": "macos:unifiedlog", "channel": "Execution of chflags hidden or SetFile -a V" }, { "name": "macos:unifiedlog", "channel": "log stream" }, { "name": "macos:unifiedlog", "channel": "defaults read -g AppleLocale, systemsetup -gettimezone" }, { "name": "macos:unifiedlog", "channel": "profiles install -type=configuration" }, { "name": "macos:unifiedlog", "channel": "log stream --predicate 'eventMessage contains \"loginwindow\" or \"pfctl\"'" }, { "name": "macos:unifiedlog", "channel": "exec or sudo usage with NOPASSWD context or echo modifying sudoers" }, { "name": "macos:unifiedlog", "channel": "Execution of /usr/bin/security add-trusted-cert or keychain modifications to System.keychain" }, { "name": "macos:unifiedlog", "channel": "nohup, disown, or osascript execution patterns" }, { "name": "macos:unifiedlog", "channel": "Execution of 'profiles install -type=configuration'" }, { "name": "macos:unifiedlog", "channel": "subsystem:com.apple.Terminal" }, { "name": "macos:unifiedlog", "channel": "base64 or curl processes chained within short execution window" }, { "name": "macos:unifiedlog", "channel": "exec: Invocation of /usr/bin/defaults write or /usr/bin/plutil modifying plist keys" }, { "name": "macos:unifiedlog", "channel": "chmod command with arguments including '+s', 'u+s', or numeric values 4000\u20136777" }, { "name": "macos:unifiedlog", "channel": "command includes dscl . delete or sysadminctl --deleteUser" }, { "name": "macos:unifiedlog", "channel": "DS daemon log entries" }, { "name": "macos:unifiedlog", "channel": "diskutil eraseDisk / asr restore with destructive flags" }, { "name": "macos:unifiedlog", "channel": "pfctl -d, socketfilterfw --setglobalstate off, or modifications to com.apple.alf" }, { "name": "macos:unifiedlog", "channel": "pwpolicy|PasswordPolicy" }, { "name": "macos:unifiedlog", "channel": "Command line contains smbutil view //, mount_smbfs //" }, { "name": "macos:unifiedlog", "channel": "log messages related to disk enumeration context or Terminal session" }, { "name": "macos:unifiedlog", "channel": "defaults write com.apple.system.logging or logd manipulation" }, { "name": "macos:unifiedlog", "channel": "process calling security find-certificate, export, or import" }, { "name": "macos:unifiedlog", "channel": "Execution of log show, fs_usage, or cat targeting system.log" }, { "name": "macos:unifiedlog", "channel": "execution of launchctl load/unload/start commands" }, { "name": "macos:unifiedlog", "channel": "base64 -d or osascript invoked on staged file" }, { "name": "macos:unifiedlog", "channel": "diskutil partitionDisk or eraseVolume with partition scheme modifications" }, { "name": "macos:unifiedlog", "channel": "grep/cat on files matching credential patterns" }, { "name": "macos:unifiedlog", "channel": "diskutil eraseDisk/zeroDisk or asr restore with destructive flags" }, { "name": "macos:unifiedlog", "channel": "spctl --master-disable, csrutil disable, or defaults write to disable Gatekeeper" }, { "name": "macos:unifiedlog", "channel": "process: at, job runner" }, { "name": "macos:unifiedlog", "channel": "Execution of dscl . create with IsHidden=1" }, { "name": "macos:unifiedlog", "channel": "log stream --predicate 'processImagePath contains \"zip\" OR \"base64\"'" }, { "name": "macos:unifiedlog", "channel": "xattr utility execution with -w or -p flags" }, { "name": "macos:unifiedlog", "channel": "execution of 'security', 'cat', or 'grep' commands accessing credential storage" }, { "name": "macos:unifiedlog", "channel": "launchctl load or boot-time plist registration" }, { "name": "macos:unifiedlog", "channel": "dscl -create" }, { "name": "macos:unifiedlog", "channel": "kextload execution from Terminal or suspicious paths" }, { "name": "macos:unifiedlog", "channel": "xattr -d com.apple.quarantine or similar removal commands" }, { "name": "macos:unifiedlog", "channel": "Security framework operations including keychain access, cryptographic operations, and certificate validation" }, { "name": "macos:unifiedlog", "channel": "None" }, { "name": "macos:unifiedlog", "channel": "Execution of chflags hidden or setfile -a V" }, { "name": "macos:unifiedlog", "channel": "process:spawn, process:exec" }, { "name": "macos:unifiedlog", "channel": "csrutil disable" }, { "name": "macos:unifiedlog", "channel": "log show --predicate 'process == '" }, { "name": "macos:unifiedlog", "channel": "Execution of launchctl with setenv or bootout targeting TCC.db or AppleScript under Finder context" }, { "name": "macos:unifiedlog", "channel": "command execution triggered by emond (e.g., shell, curl, python)" }, { "name": "macos:unifiedlog", "channel": "Set or unset HIST* variables in shell environment" }, { "name": "macos:unifiedlog", "channel": "defaults read -g AppleLocale or systemsetup -gettimezone" }, { "name": "macos:unifiedlog", "channel": "launchctl load/unload or plist file modification" }, { "name": "macos:unifiedlog", "channel": "dscl . -create" }, { "name": "macos:unifiedlog", "channel": "Execution of commands like `ls -l@`, `xattr -l`, or custom tools interacting with resource forks" }, { "name": "macos:unifiedlog", "channel": "Execution of osascript, sh, bash, zsh, installer, open" }, { "name": "MobileEDR:telemetry", "channel": "Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase" }, { "name": "MobileEDR:telemetry", "channel": "Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase" }, { "name": "networkdevice:cli", "channel": "CLI command" }, { "name": "networkdevice:cli", "channel": "Policy Update" }, { "name": "networkdevice:cli", "channel": "ip ssh pubkey-chain" }, { "name": "networkdevice:cli", "channel": "erase flash:, erase startup-config, format disk" }, { "name": "networkdevice:cli", "channel": "CLI command logs" }, { "name": "networkdevice:cli", "channel": "cmd: cmd=show clock detail" }, { "name": "networkdevice:cli", "channel": "Execution of commands to load, copy, or replace system images (e.g., 'copy tftp flash', 'boot system')" }, { "name": "networkdevice:cli", "channel": "None" }, { "name": "networkdevice:cli", "channel": "Execution of commands like 'show running-config', 'copy running-config', or 'export config'" }, { "name": "networkdevice:cli", "channel": "Execution of CLI commands altering crypto parameters (e.g., 'crypto key generate rsa modulus 512')" }, { "name": "networkdevice:cli", "channel": "format flash:, format disk, reformat commands" }, { "name": "networkdevice:cli", "channel": "erase flash:, erase nvram:, format disk" }, { "name": "networkdevice:cli", "channel": "command logs" }, { "name": "networkdevice:cli", "channel": "command logging" }, { "name": "networkdevice:cli", "channel": "Interface commands" }, { "name": "networkdevice:cli", "channel": "Execution of privileged commands such as 'copy tftp flash', 'boot system', or 'debug memory'" }, { "name": "networkdevice:cli", "channel": "Execution of commands disabling crypto hardware acceleration (e.g., 'no crypto engine enable')" }, { "name": "networkdevice:cli", "channel": "shell command" }, { "name": "networkdevice:cli", "channel": "Commands like 'no logging' or equivalents that disable session history" }, { "name": "networkdevice:cli", "channel": "Execution of commands such as 'copy tftp flash', 'boot system ', 'reload'" }, { "name": "networkdevice:config", "channel": "PKI export or certificate manipulation commands" }, { "name": "networkdevice:config", "channel": "Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers" }, { "name": "networkdevice:Firewall", "channel": "Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config" }, { "name": "networkdevice:syslog", "channel": "Command Audit / Configuration Change" }, { "name": "networkdevice:syslog", "channel": "eventlog" }, { "name": "networkdevice:syslog", "channel": "command_exec" }, { "name": "networkdevice:syslog", "channel": "command-exec: CLI commands containing \"show clock\", \"show clock detail\", \"show timezone\" executed by suspicious user/source" }, { "name": "networkdevice:syslog", "channel": "cmd='show aaa*' OR 'show running-config | include password|aaa' OR 'show aaa common-criteria policy all'" }, { "name": "networkdevice:syslog", "channel": "CLI command audit" }, { "name": "networkdevice:syslog", "channel": "system boot logs" }, { "name": "networkdevice:syslog", "channel": "exec command='monitor capture'" }, { "name": "networkdevice:syslog", "channel": "no logging buffered, no aaa new-model, disable firewall" }, { "name": "networkdevice:syslog", "channel": "interactive shell logging" }, { "name": "networkdevice:syslog", "channel": "command sequence: erase \u2192 format \u2192 reload" }, { "name": "networkdevice:syslog", "channel": "CLI Command Logging" }, { "name": "networkdevice:syslog", "channel": "CLI Command Audit" }, { "name": "networkdevice:syslog", "channel": "command audit" }, { "name": "networkdevice:syslog", "channel": "Privilege-level command execution" }, { "name": "networkdevice:syslog", "channel": "Detected CLI command to export key material" }, { "name": "networkdevice:syslog", "channel": "reload command issued" }, { "name": "networkdevice:syslog", "channel": "syslog facility LOCAL7 or trap messages" }, { "name": "saas:PRMetadata", "channel": "Commit message or branch name contains encoded strings or payload indicators" }, { "name": "vpxd.log", "channel": "VM inventory queries and configuration enumeration through vCenter API calls" }, { "name": "WinEventLog:Microsoft-Office-Alerts", "channel": "Unexpected DLL or component loaded at Office startup" }, { "name": "WinEventLog:Microsoft-Office-Alerts", "channel": "Office application warning or alert on macro execution from template" }, { "name": "WinEventLog:Microsoft-Office/OutlookAddinMonitor", "channel": "Outlook loading add-in via unexpected load path or non-default profile context" }, { "name": "WinEventLog:PowerShell", "channel": "Get-ADTrust|GetAllTrustRelationships" }, { "name": "WinEventLog:PowerShell", "channel": "EventCode=4103, 4104, 4105, 4106" }, { "name": "WinEventLog:PowerShell", "channel": "Execution of Microsoft script to enumerate custom forms in Outlook mailbox" }, { "name": "WinEventLog:PowerShell", "channel": "CommandLine=copy-item or robocopy from UNC path" }, { "name": "WinEventLog:PowerShell", "channel": "PowerShell launched from outlook.exe or triggered without user invocation" }, { "name": "WinEventLog:PowerShell", "channel": "Execution of PowerShell script to enumerate or remove malicious Home Page folder config" }, { "name": "WinEventLog:PowerShell", "channel": "Exchange Cmdlets" }, { "name": "WinEventLog:PowerShell", "channel": "CmdletName: Get-Recipient, Get-User" }, { "name": "WinEventLog:PowerShell", "channel": "Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets" }, { "name": "WinEventLog:PowerShell", "channel": "Execution of PowerShell without -NoProfile flag" }, { "name": "WinEventLog:PowerShell", "channel": "EventCode=4101" }, { "name": "WinEventLog:Security", "channel": "EventCode=4103, 4104, 4105, 4106" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "created": "2023-03-13T20:00:38.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0115", "external_id": "DC0115" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-13T23:45:27.570Z", "name": "Protected Configuration", "description": "Protected Configuration represents security-sensitive device settings, security policies, or operating system configurations that are normally restricted to administrators, system services, or device management platforms.\nMonitoring these configurations enables detection of adversaries attempting to weaken device security controls or alter trusted device relationships.\n\nExamples\nAndroid:\n\n- USB debugging enabled\n- Unknown app installation allowed\n- Developer options enabled\n\niOS:\n\n- Developer mode enabled\n- Device pairing trust relationships established\n- Configuration profile restrictions modified\n", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Application Vetting", "channel": "None" }, { "name": "iOS:MDMLog", "channel": "Developer Mode enabled, supervised-device restriction changed, or trust-related protected device posture changed" }, { "name": "android:MDMLog", "channel": "Biometric, credential, lockscreen, trust-agent, Smart Lock, or device-admin-related protected device configuration changed" }, { "name": "iOS:MDMLog", "channel": "Passcode, biometrics, attention-aware authentication, or supervised-device lock policy changed in a way that weakens or alters the authentication boundary" }, { "name": "android:MDMLog", "channel": "Managed Wi-Fi, VPN, cellular, or location-related policy state remains unchanged while network capability degrades" }, { "name": "iOS:MDMLog", "channel": "Managed Wi-Fi, VPN, cellular, or location-service policy remains unchanged while device connectivity repeatedly degrades" }, { "name": "android:MDMLog", "channel": "Managed storage, backup, enterprise file access, or device policy state remains unchanged while bulk destructive file transformation occurs" }, { "name": "android:MDMLog", "channel": "Managed app catalog, enterprise update policy, or trusted distribution posture remains unchanged while a known app exhibits materially different post-update behavior" }, { "name": "iOS:MDMLog", "channel": "Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change" }, { "name": "android:MDMLog", "channel": "Managed app distribution, enterprise catalog trust, and update policy remain expected while a known package exhibits materially different post-install or post-update behavior" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "created": "2023-03-13T19:59:42.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0113", "external_id": "DC0113" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-11T15:52:58.538Z", "name": "Network Communication", "description": "Network Communication captures outbound or inbound communication initiated by an application or mobile device, including the domains contacted, protocols used, and session metadata associated with the communication.\n\nMonitoring network communication enables defenders to identify command-and-control traffic, data exfiltration, or suspicious communication patterns originating from mobile applications.\n\nExamples\n\n- Connections to previously unseen domains\n- Repeated communication with suspicious infrastructure\n- Communication immediately following application installation\n\nCollection Methods\n\n- Mobile VPN telemetry\n- Secure web gateway logs\n- Network detection and response (NDR)\n- Mobile EDR network monitoring\n", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Application Vetting", "channel": "None" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0061", "external_id": "DC0061" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-16T16:41:53.549Z", "name": "File Modification", "description": "Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: \n\n- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\System32\\drivers\\etc\\hosts` on Windows.\n- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows.\n- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.\n- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows.\n- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "enterprise-attack", "mobile-attack" ], "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "File", "channel": "None" }, { "name": "auditd:SYSCALL", "channel": "open/write calls modifying ~/.bashrc, ~/.profile, or /etc/paths.d" }, { "name": "macos:unifiedlog", "channel": "File modification in /etc/paths.d or user shell rc files" }, { "name": "fs:fileevents", "channel": "/var/log/quarantine.log" }, { "name": "macos:unifiedlog", "channel": "Modification of ~/Library/LaunchAgents or /Library/LaunchDaemons plist" }, { "name": "auditd:SYSCALL", "channel": "open, write" }, { "name": "auditd:SYSCALL", "channel": "AUDIT_SYSCALL (open, write, rename, unlink)" }, { "name": "macos:endpointsecurity", "channel": "ES_EVENT_TYPE_NOTIFY_WRITE, targeting .zshrc, .zlogin, .zprofile" }, { "name": "fs:fileevents", "channel": "/var/log/install.log" }, { "name": "auditd:SYSCALL", "channel": "PATH" }, { "name": "macos:osquery", "channel": "file_events" }, { "name": "WinEventLog:Sysmon", "channel": "EventCode=2" }, { "name": "auditd:SYSCALL", "channel": "execve call for modification of /etc/sudoers or writing to /var/db/sudo" }, { "name": "auditd:SYSCALL", "channel": "open, write: File modifications under /etc/ssl/certs, /usr/local/share/ca-certificates, or /etc/pki/ca-trust/source/anchors" }, { "name": "macos:osquery", "channel": "query: Enumeration of root certificates showing unexpected additions" }, { "name": "auditd:SYSCALL", "channel": "open, unlink, rename: Suspicious file access, deletion, or modification of sensitive paths" }, { "name": "macos:unifiedlog", "channel": "Anomalous plist modifications or sensitive file overwrites by non-standard processes" }, { "name": "auditd:FILE", "channel": "Modification or deletion of /etc/audit/audit.rules or /etc/audit/audit.conf" }, { "name": "auditd:SYSCALL", "channel": "open/write of .service unit files" }, { "name": "auditd:SYSCALL", "channel": "open/write/unlink" }, { "name": "macos:unifiedlog", "channel": "loginwindow or desktopservices modified settings or files" }, { "name": "ESXiLogs:messages", "channel": "changes to /etc/motd or /etc/vmware/welcome" }, { "name": "auditd:SYSCALL", "channel": "write, rename" }, { "name": "containerd:runtime", "channel": "file change monitoring within /etc/cron.*, /tmp, or mounted volumes" }, { "name": "esxi:cron", "channel": "manual edits to /etc/rc.local.d/local.sh or cron.d" }, { "name": "auditd:PATH", "channel": "/etc/passwd or /etc/group file write" }, { "name": "auditd:SYSCALL", "channel": "write" }, { "name": "macos:unifiedlog", "channel": "SecurityAgentPlugins modification" }, { "name": "macos:unifiedlog", "channel": "write: File modifications to *.plist within LaunchAgents, LaunchDaemons, Application Support, or Preferences directories" }, { "name": "linux:osquery", "channel": "file_events" }, { "name": "esxi:hostd", "channel": "boot" }, { "name": "networkdevice:syslog", "channel": "config" }, { "name": "macos:unifiedlog", "channel": "Modification of backgrounditems.btm or creation of LoginItems subdirectory in .app bundle" }, { "name": "fs:filesystem", "channel": "Modification or creation of files matching 'com.apple.loginwindow.*.plist' in ~/Library/Preferences/ByHost" }, { "name": "auditd:SYSCALL", "channel": "write | PATH=/home/*/.ssh/authorized_keys" }, { "name": "macos:auth", "channel": "~/.ssh/authorized_keys" }, { "name": "gcp:audit", "channel": "compute.instances.setMetadata" }, { "name": "azure:resource", "channel": "PATCH vm/authorized_keys" }, { "name": "esxi:shell", "channel": "file write or edit" }, { "name": "linux:syslog", "channel": "rename" }, { "name": "ebpf:syscalls", "channel": "file_write" }, { "name": "macos:unifiedlog", "channel": "Modification of plist with apple.awt.UIElement set to TRUE" }, { "name": "fs:fsusage", "channel": "unlink, write" }, { "name": "auditd:SYSCALL", "channel": "open, write: Write operations targeting /dev/sda, /dev/nvme0n1, or EFI partition mounts" }, { "name": "auditd:PATH", "channel": "write: Modification of /boot/grub/*, /boot/efi/EFI/*, or initramfs images" }, { "name": "networkdevice:config", "channel": "config-change: timezone or ntp server configuration change after a time query command" }, { "name": "macos:unifiedlog", "channel": "replace existing dylibs" }, { "name": "networkdevice:config", "channel": "Configuration changes to boot variables, startup image paths, or checksum verification failures" }, { "name": "firmware:update", "channel": "Unexpected or unscheduled firmware updates, image overwrites, or failed signature validation" }, { "name": "IntegrityCheck:ImageValidation", "channel": "Checksum or hash mismatch between running image and known-good vendor-provided image" }, { "name": "macos:osquery", "channel": "File modifications in ~/Library/Preferences/" }, { "name": "auditd:SYSCALL", "channel": "open/write to /etc/pam.d/*" }, { "name": "macos:unifiedlog", "channel": "Modification of /Library/Security/SecurityAgentPlugins" }, { "name": "macos:unifiedlog", "channel": "Modifications to Mail.app plist files controlling message rules" }, { "name": "WinEventLog:Security", "channel": "EventCode=4663, 4670, 4656" }, { "name": "auditd:SYSCALL", "channel": "write: Modification of structured stored data by suspicious processes" }, { "name": "linux:syslog", "channel": "Unexpected log entries or malformed SQL operations in databases" }, { "name": "macos:unifiedlog", "channel": "Unexpected creation or modification of stored data files in protected directories" }, { "name": "auditd:SYSCALL", "channel": "openat, write, rename, unlink" }, { "name": "macos:unifiedlog", "channel": "file encrypted|new file with .encrypted extension|disk write burst" }, { "name": "esxi:vmkernel", "channel": "rename .vmdk to .*.locked|datastore write spike" }, { "name": "macos:unifiedlog", "channel": "Mach-O binary modified or LC_LOAD_DYLIB segment inserted" }, { "name": "auditd:SYSCALL", "channel": "open/write syscalls targeting /etc/ld.so.preload or binaries in /usr/bin" }, { "name": "macos:unifiedlog", "channel": "Modified application plist or binary replacement in /Applications" }, { "name": "esxi:shell", "channel": "admin command usage" }, { "name": "networkdevice:syslog", "channel": "startup-config" }, { "name": "macos:unifiedlog", "channel": "File creation or overwrite in common web-hosting folders" }, { "name": "esxi:vmkernel", "channel": "Unauthorized file modifications within datastore volumes via shell access or vCLI" }, { "name": "networkdevice:config", "channel": "Configuration changes referencing 'crypto', 'key length', 'cipher', or downgrade of encryption settings" }, { "name": "FirmwareLogs:Update", "channel": "Unexpected firmware or image updates modifying cryptographic modules" }, { "name": "fs:plist", "channel": "/var/root/Library/Preferences/com.apple.loginwindow.plist" }, { "name": "auditd:SYSCALL", "channel": "modification of existing .service file" }, { "name": "auditd:PATH", "channel": "write or create events on *.pth, sitecustomize.py, usercustomize.py in site-packages or dist-packages" }, { "name": "macos:unifiedlog", "channel": "write of plist files in /Library/LaunchAgents or /Library/LaunchDaemons" }, { "name": "WinEventLog:System", "channel": "Unexpected modification to lsass.exe or cryptdll.dll" }, { "name": "networkconfig", "channel": "unexpected OS image file upload or modification events" }, { "name": "network:runtime", "channel": "checksum or runtime memory verification failures" }, { "name": "macos:unifiedlog", "channel": "write" }, { "name": "auditd:SYSCALL", "channel": "open, write: Modification of /boot/grub/* or /boot/efi/*" }, { "name": "macos:unifiedlog", "channel": "Modification of /System/Library/CoreServices/boot.efi" }, { "name": "macos:unifiedlog", "channel": "Modification of LaunchAgents or LaunchDaemons plist files" }, { "name": "auditd:SYSCALL", "channel": "chmod" }, { "name": "auditd:SYSCALL", "channel": "rename,chmod" }, { "name": "fs:fsevents", "channel": "create/write/rename under user-writable paths" }, { "name": "macos:osquery", "channel": "Changes to LSFileQuarantineEnabled field in Info.plist" }, { "name": "fs:fsusage", "channel": "file access to /usr/lib/cron/tabs/ and cron output files" }, { "name": "esxi:hostd", "channel": "modification of crontab or local.sh entries" }, { "name": "networkdevice:config", "channel": "Configuration file modified or replaced on network device" }, { "name": "macos:unifiedlog", "channel": "Plist modifications containing virtualization run configurations" }, { "name": "fs:fsusage", "channel": "file access to /usr/lib/cron/at and job execution path" }, { "name": "macos:unifiedlog", "channel": "binary modified or replaced" }, { "name": "esxi:hostd", "channel": "binary or module replacement event" }, { "name": "networkdevice:config", "channel": "Configuration change events referencing encryption, TLS/SSL, or IPSec settings" }, { "name": "networkdevice:firmware", "channel": "Unexpected firmware update or image modification affecting crypto modules" }, { "name": "fs:fsevents", "channel": "file system events indicating permission, ownership, or extended attribute changes on critical paths. File system modification events with kFSEventStreamEventFlagItemChangeOwner, kFSEventStreamEventFlagItemXattrMod flags" }, { "name": "auditd:FILE", "channel": "Modification of Display Manager configuration files (/etc/gdm3/*, /etc/lightdm/*)" }, { "name": "macos:unifiedlog", "channel": "Modification of /Library/Preferences/com.apple.loginwindow plist" }, { "name": "auditd:SYSCALL", "channel": "Modification of user shell profile or trap registration via echo/redirection (e.g., echo \"trap 'malicious_cmd' INT\" >> ~/.bashrc)" }, { "name": "macos:unifiedlog", "channel": "File write or append to .zshrc, .bash_profile, .zprofile, etc." }, { "name": "auditd:SYSCALL", "channel": "chmod, write, create, open" }, { "name": "fs:fsevents", "channel": "Extensions" }, { "name": "auditd:SYSCALL", "channel": "open, write: File writes to application binaries or libraries at runtime" }, { "name": "macos:osquery", "channel": "CALCULATE: Mismatch in file integrity of critical macOS applications" }, { "name": "auditd:SYSCALL", "channel": "file write operations in /Library/WebServer/Documents" }, { "name": "fs:launchdaemons", "channel": "file_modify" }, { "name": "auditd:PATH", "channel": "write: File modifications to /etc/systemd/sleep.conf or related power configuration files" }, { "name": "macos:unifiedlog", "channel": "write: File modification to com.apple.PowerManagement.plist or related system preference files" }, { "name": "fs:fsusage", "channel": "modification of existing LaunchAgents plist" }, { "name": "macos:unifiedlog", "channel": "create/modify dylib in monitored directories" }, { "name": "WinEventLog:CodeIntegrity", "channel": "EventCode=3033" }, { "name": "auditd:SYSCALL", "channel": "write operation on /etc/passwd or /etc/shadow" }, { "name": "macos:unifiedlog", "channel": "modification to /var/db/dslocal/nodes/Default/users/" }, { "name": "linux:osquery", "channel": "New or modified kernel object files (.ko) within /lib/modules directory" }, { "name": "macos:osquery", "channel": "Modifications to /var/db/SystemPolicyConfiguration/KextPolicy or kext_policy table" }, { "name": "networkdevice:audit", "channel": "SNMP configuration changes, such as enabling read/write access or modifying community strings" }, { "name": "macos:osquery", "channel": "write" }, { "name": "auditd:SYSCALL", "channel": "mount or losetup commands creating hidden or encrypted FS" }, { "name": "macos:unifiedlog", "channel": "Hidden volume attachment or modification events" }, { "name": "macos:unifiedlog", "channel": "Suspicious plist edits for volume mounting behavior" }, { "name": "networkdevice:config", "channel": "Configuration changes to startup image paths, boot loader parameters, or debug flags" }, { "name": "networkdevice:syslog", "channel": "Checksum/hash mismatch between device OS image and baseline known-good version" }, { "name": "macos:unifiedlog", "channel": "file writes" }, { "name": "m365:defender", "channel": "OfficeTelemetry or DLP" }, { "name": "fs:fsusage", "channel": "Filesystem Access Logging" }, { "name": "networkdevice:config", "channel": "Configuration changes referencing cryptographic hardware modules or disabling hardware acceleration" }, { "name": "FirmwareLogs:Update", "channel": "Unexpected firmware updates that alter encryption libraries or disable hardware crypto modules" }, { "name": "m365:office", "channel": "Anomalous editing of invoice or payment document templates" }, { "name": "fs:fsusage", "channel": "truncate, unlink, write" }, { "name": "macos:unifiedlog", "channel": "Modification or replacement of /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db" }, { "name": "linux:fim", "channel": "Changes to /etc/rc.local.d/local.sh or creation of unexpected startup files in persistent partitions (/etc/init.d, /store, /locker)" }, { "name": "macos:endpointsecurity", "channel": "write, rename" }, { "name": "auditd:SYSCALL", "channel": "open/write to /proc/*/mem or /proc/*/maps" }, { "name": "sysdig:file", "channel": "evt.type=write" }, { "name": "macos:unifiedlog", "channel": "rule definitions written to emond rule plists" }, { "name": "networkdevice:config", "channel": "Configuration changes referencing older image versions or unexpected boot parameters" }, { "name": "FileIntegrity:ImageValidation", "channel": "Hash/checksum mismatch against baseline vendor-provided OS image versions" }, { "name": "auditd:SYSCALL", "channel": "write or rename to /etc/systemd/system or /etc/init.d" }, { "name": "fs:fsusage", "channel": "file write to launchd plist paths" }, { "name": "auditd:SYSCALL", "channel": "modification of entrypoint scripts or init containers" }, { "name": "fs:plist_monitoring", "channel": "/Users/*/Library/Mail/V*/MailData/RulesActiveState.plist" }, { "name": "auditd:SYSCALL", "channel": "chmod/chown to /etc/passwd or /etc/shadow" }, { "name": "auditd:SYSCALL", "channel": "open/write syscalls targeting web directory files" }, { "name": "macos:unifiedlog", "channel": "Terminal/Editor processes modifying web folder" }, { "name": "esxi:vmkernel", "channel": "/var/log/vmkernel.log" }, { "name": "AndroidLogs:FileSystem", "channel": "Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts" }, { "name": "iOS:unifiedlog", "channel": "Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents" }, { "name": "android:logcat", "channel": "INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change" }, { "name": "MobileEDR:telemetry", "channel": "Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event" }, { "name": "MobileEDR:telemetry", "channel": "Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history" }, { "name": "auditd:PATH", "channel": "odification of ~/.ssh/authorized_keys or credential files" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0018", "external_id": "DC0018" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-20T18:17:23.974Z", "name": "Host Status", "description": "Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.\n\n*Data Collection Measures:*\n\n- Windows Event Logs:\n - Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.\n - Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.\n - Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.\n - Event ID 12 (Windows Defender Status Change) \u2013 Detects changes in Windows Defender state.\n- Linux/macOS Monitoring:\n - `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log`\n - Journald (journalctl) for kernel and system alerts.\n- Endpoint Detection and Response (EDR) Tools:\n - Monitor agent health status, detect sensor tampering, and alert on missing telemetry.\n- Mobile Threat Intelligence Logs:\n - Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack", "enterprise-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "networkdevice:syslog", "channel": "no logging host, no aaa new-model, no snmp-server, commit" }, { "name": "android:appops", "channel": "ACCESS_FINE_LOCATION|NEARBY_DEVICES|BLUETOOTH_SCAN used in close proximity to network-context queries" }, { "name": "AndroidAttestation:SafetyNet", "channel": "SafetyNet attestation with CTSProfileMatch=false or BasicIntegrity=false" }, { "name": "AndroidAttestation:VerifiedBoot", "channel": "Verified Boot or dm-verity reports partition hash mismatch, non-green boot state, or integrity failure" }, { "name": "AndroidLogs:Crash", "channel": "Crash or abnormal restart of privileged system services (for example, system_server, mediaserver, installd) followed shortly by new privileged process activity or binder connections from a single app UID" }, { "name": "AndroidLogs:Crash", "channel": "Application or system process crash/restart patterns temporally associated with remote service communications" }, { "name": "auditd:SYSCALL", "channel": "firmware_update, kexec_load" }, { "name": "AWS:CloudMetrics", "channel": "Autoscaling, memory/cpu alarms, or instance unhealthiness" }, { "name": "AWS:CloudWatch", "channel": "Sustained spike in CPU usage on EC2 instance with web service role" }, { "name": "AWS:CloudWatch", "channel": "StatusCheckFailed or StatusCheckFailed_System for burstable instances (t2/t3)" }, { "name": "AWS:CloudWatch", "channel": "Sustained EC2 CPU usage above normal baseline" }, { "name": "AWS:CloudWatch", "channel": "NetworkOut spike beyond baseline" }, { "name": "AWS:CloudWatch", "channel": "Sudden spike in network output without a corresponding inbound request ratio" }, { "name": "AWS:CloudWatch", "channel": "Unusual CPU burst or metric anomalies" }, { "name": "esxi:hostd", "channel": "Powering off or restarting host" }, { "name": "iOS:MDMLog", "channel": "Device risk, compliance, or security posture changes after trusted host pairing or developer-state transition" }, { "name": "iOS:unifiedlog", "channel": "code signature validation failure / exec of invalidly-signed payload from sandboxed app" }, { "name": "iOS:unifiedlog", "channel": "Application crash logs, watchdog terminations, or abnormal execution events associated with service communication" }, { "name": "journald:boot", "channel": "Secure Boot failure, firmware version change" }, { "name": "kubernetes:events", "channel": "CrashLoopBackOff, OOMKilled, container restart count exceeds threshold" }, { "name": "linux:procfs", "channel": "Sustained high /proc/[pid]/stat usage" }, { "name": "linux:syslog", "channel": "Out of memory killer invoked or kernel panic entries" }, { "name": "linux:syslog", "channel": "Service stop or disable messages for security tools not reflected in SIEM alerts" }, { "name": "linux:syslog", "channel": "system is powering down" }, { "name": "macos:osquery", "channel": "interface_details " }, { "name": "macos:syslog", "channel": "Hardware UUID or device list drift" }, { "name": "macos:unifiedlog", "channel": "Web service process (e.g., httpd) entering crash loop or consuming excessive CPU" }, { "name": "macos:unifiedlog", "channel": "Spike in CPU or memory use from non-user-initiated processes" }, { "name": "macos:unifiedlog", "channel": "Termination or disabling of XProtect, Gatekeeper, or third-party AV daemons" }, { "name": "macos:unifiedlog", "channel": "network stack resource exhaustion, tcp_accept queue overflow, repeated resets" }, { "name": "macos:unifiedlog", "channel": "EFI firmware integrity check failed" }, { "name": "macos:unifiedlog", "channel": "System Integrity Protection (SIP) state reported as disabled" }, { "name": "macos:unifiedlog", "channel": "System shutdown or reboot requested" }, { "name": "MDM:DeviceIntegrity", "channel": "jailbreak/root compromise indicators or integrity attestation failures enabling process visibility" }, { "name": "networkdevice:syslog", "channel": "System reboot scheduled or performed" }, { "name": "NSM:Flow", "channel": "TCP: possible SYN flood or backlog limit exceeded" }, { "name": "OEMAttestation:Knox", "channel": "Samsung Knox attestation shows attestation_state=COMPROMISED or warranty bit set" }, { "name": "prometheus:metrics", "channel": "Container CPU/Memory usage exceeding threshold" }, { "name": "sar:network", "channel": "Outbound network saturation with minimal process activity" }, { "name": "Sensor Health", "channel": "None" }, { "name": "Windows:perfmon", "channel": "Sustained CPU/memory exhaustion by service process (e.g., w3wp.exe)" }, { "name": "Windows:perfmon", "channel": "High sustained CPU usage by a single process" }, { "name": "Windows:perfmon", "channel": "Sudden spike in outbound throughput without corresponding inbound traffic" }, { "name": "Windows:perfmon", "channel": "Sudden spikes in CPU/Memory usage linked to specific application processes" }, { "name": "WinEventLog:Microsoft-Windows-TCPIP", "channel": "Connection queue overflow or failure to allocate TCP state object" }, { "name": "WinEventLog:Security", "channel": "EventCode=1166, 7045" }, { "name": "WinEventLog:Security", "channel": "EventCode=1074" }, { "name": "WinEventLog:Security", "channel": "EventCode=6006" }, { "name": "WinEventLog:Sysmon", "channel": "EventCode=16" }, { "name": "WinEventLog:System", "channel": "System shutdowns due to bugcheck (Event ID 1001) or watchdog timer expirations" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0083", "external_id": "DC0083" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-23T19:38:20.657Z", "name": "Cloud Service Enumeration", "description": "Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like `AWS ECS ListServices`, `Azure ListAllResources`, or `Google Cloud ListInstances`. Examples: \n\nAWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration.\n- Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes.\n- Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation.\n- Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "AWS:CloudTrail", "channel": "GetSecretValue" }, { "name": "gcp:secrets", "channel": "accessSecretVersion" }, { "name": "azure:ad", "channel": "SecretGet" }, { "name": "AWS:CloudTrail", "channel": "ssm:ListInventoryEntries" }, { "name": "AWS:CloudTrail", "channel": "DescribeInstances, DescribeServices, ListFunctions: High frequency enumeration calls or unusual user agents performing discovery" }, { "name": "azure:audit", "channel": "ListApplications, ListServicePrincipals: Large-scale queries against identity or application objects" }, { "name": "m365:unified", "channel": "Get-MsolServicePrincipal, ListAppRoles: Service discovery operations executed by accounts not normally performing administrative tasks" }, { "name": "saas:adminapi", "channel": "ListIntegrations, ListServices: Repeated service discovery requests from accounts without administrative responsibilities" }, { "name": "AWS:CloudTrail", "channel": "GetInstanceIdentityDocument or IMDSv2 token requests" }, { "name": "AWS:CloudTrail", "channel": "DescribeUsers / ListUsers / GetUser" }, { "name": "azure:signinlogs", "channel": "Graph API Query" }, { "name": "saas:MDM", "channel": "Device lookup, location query, or remote management operation" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0021", "external_id": "DC0021" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T18:22:40.476Z", "name": "OS API Execution", "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "mobile-attack", "enterprise-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Process", "channel": "None" }, { "name": "etw:Microsoft-Windows-Kernel-Base", "channel": "GetLocaleInfoW, GetTimeZoneInformation API calls" }, { "name": "AWS:CloudTrail", "channel": "GetMetadata, DescribeInstanceIdentity" }, { "name": "macos:osquery", "channel": "open, execve: Unexpected processes accessing or modifying critical files" }, { "name": "auditd:SYSCALL", "channel": "ptrace, ioctl" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "API tracing / stack tracing via ETW or telemetry-based EDR" }, { "name": "EDR:memory", "channel": "Behavioral API telemetry (GetProcAddress, LoadLibrary, VirtualAlloc)" }, { "name": "networkdevice:syslog", "channel": "aaa privilege_exec" }, { "name": "macos:unifiedlog", "channel": "None" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "APCQueueOperations" }, { "name": "macos:unifiedlog", "channel": "Invocation of SMLoginItemSetEnabled by non-system or recently installed application" }, { "name": "macos:unifiedlog", "channel": "flock|NSDistributedLock|FileHandle.*lockForWriting" }, { "name": "etw:Microsoft-Windows-Directory-Services-SAM", "channel": "api_call: Calls to DsAddSidHistory or related RPC operations" }, { "name": "macos:unifiedlog", "channel": "application logs referencing NSTimer, sleep, or launchd delays" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "High-frequency or suspicious sequence of QueryPerformanceCounter/GetTickCount API calls from a non-standard process lineage" }, { "name": "auditd:SYSCALL", "channel": "Rules capturing clock_gettime, time, gettimeofday syscalls when enabled" }, { "name": "networkdevice:syslog", "channel": "Unexpected reload, crashinfo, or boot message not tied to scheduled maintenance" }, { "name": "etw:Microsoft-Windows-RPC", "channel": "rpc_call: srvsvc.NetShareEnum / NetShareEnumAll from non-admin or unusual processes" }, { "name": "NSM:Flow", "channel": "smb_command: TreeConnectAndX to \\\\*\\IPC$ / srvsvc or Trans2/NT_CREATE for listing shares" }, { "name": "WinEventLog:Security", "channel": "EventCode=4663, 4670, 4656" }, { "name": "EDR:memory", "channel": "API usage MFCreateDeviceSource, IAMStreamConfig, ICaptureGraphBuilder2, DirectShow filter graph creation from uncommon callers" }, { "name": "auditd:SYSCALL", "channel": "openat/read/ioctl: openat/read/ioctl on /dev/video* by uncommon user/process" }, { "name": "macos:unifiedlog", "channel": "Access decisions to kTCCServiceCamera for unexpected binaries" }, { "name": "EDR:memory", "channel": "Objective\u2011C/Swift calls to AVCaptureDevice/AVCaptureSession by non-whitelisted processes" }, { "name": "auditd:SYSCALL", "channel": "mmap, ptrace, process_vm_writev or direct memory ops" }, { "name": "WinEventLog:Application", "channel": "API call to AddMonitor invoked by non-installer process" }, { "name": "etw:Microsoft-Windows-Win32k", "channel": "SetWindowLong, SetClassLong, NtUserMessageCall, SendNotifyMessage, PostMessage" }, { "name": "auditd:SYSCALL", "channel": "unshare, mount, keyctl, setns syscalls executed by containerized processes" }, { "name": "macos:unifiedlog", "channel": "audio APIs" }, { "name": "WinEventLog:Microsoft-Windows-COM/Operational", "channel": "CLSID activation events where ProcessName=mmc.exe and CLSID not in allowed baseline" }, { "name": "macos:unifiedlog", "channel": "com.apple.securityd, com.apple.tccd" }, { "name": "auditd:SYSCALL", "channel": "send, recv, write: Abnormal interception or alteration of transmitted data" }, { "name": "macos:osquery", "channel": "CALCULATE: Integrity validation of transmitted data via hash checks" }, { "name": "ETW:Token", "channel": "token_analysis: API calls such as DuplicateTokenEx or ImpersonateLoggedOnUser" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "API Calls" }, { "name": "etw:Microsoft-Windows-DotNETRuntime", "channel": "AssemblyLoad/ModuleLoad (Loader keyword) from Microsoft-Windows-DotNETRuntime" }, { "name": "EDR:memory", "channel": "VirtualAlloc/VirtualProtect/MapViewOfFile indicators via stack/heap activity and ImageLoad" }, { "name": "auditd:MMAP", "channel": "memory region with RWX permissions allocated" }, { "name": "snmp:trap", "channel": "management queries" }, { "name": "AWS:CloudTrail", "channel": "Describe* or List* API calls" }, { "name": "etw:Microsoft-Windows-Win32k", "channel": "SendMessage, PostMessage, LVM_*" }, { "name": "auditd:SYSCALL", "channel": "sudo or pkexec invocation" }, { "name": "macos:unifiedlog", "channel": "authorization execute privilege requests" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "NtQueryInformationProcess" }, { "name": "macos:unifiedlog", "channel": "ptrace: Processes invoking ptrace with PTRACE_TRACEME flag" }, { "name": "esxi:hostd", "channel": "Remote access API calls and file uploads" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread" }, { "name": "linux:syslog", "channel": "Execution of modified binaries or abnormal library load sequences" }, { "name": "macos:unifiedlog", "channel": "Calls to AuthorizationExecuteWithPrivileges() observed via Apple System Logger or security_auditing tools" }, { "name": "macos:unifiedlog", "channel": "access or unlock attempt to keychain database" }, { "name": "macos:unifiedlog", "channel": "Execution of input detection APIs (e.g., CGEventSourceKeyState)" }, { "name": "auditd:SYSCALL", "channel": "mount system call with bind or remap flags" }, { "name": "AWS:CloudTrail", "channel": "Decrypt" }, { "name": "etw:Microsoft-Windows-Kernel-File", "channel": "ZwSetEaFile or ZwQueryEaFile function calls" }, { "name": "auditd:SYSCALL", "channel": "fork/clone/daemon syscall tracing" }, { "name": "fs:fsusage", "channel": "Detached process execution with no associated parent" }, { "name": "auditd:SYSCALL", "channel": "ptrace, mmap, mprotect, open, dlopen" }, { "name": "ETW:ProcThread", "channel": "api_call: CreateProcessWithTokenW, CreateProcessAsUserW" }, { "name": "EDR:memory", "channel": "MemoryWriteToExecutable" }, { "name": "ETW:Token", "channel": "api_call: DuplicateTokenEx, ImpersonateLoggedOnUser, SetThreadToken" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "api_call: UpdateProcThreadAttribute (PROC_THREAD_ATTRIBUTE_PARENT_PROCESS) and CreateProcess* with EXTENDED_STARTUPINFO_PRESENT / StartupInfoEx" }, { "name": "etw:Microsoft-Windows-Security-Auditing", "channel": "api_call: LogonUser(A|W), LsaLogonUser, SetThreadToken, ImpersonateLoggedOnUser" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "API calls" }, { "name": "auditd:SYSCALL", "channel": "ptrace, mmap, process_vm_writev" }, { "name": "auditd:SYSCALL", "channel": "execve of dd or sed targeting /proc/*/mem" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "CreateTransaction, CreateFileTransacted, RollbackTransaction, NtCreateProcessEx, NtCreateThreadEx" }, { "name": "ETW", "channel": "Calls to GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "WriteProcessMemory: WriteProcessMemory targeting regions containing KernelCallbackTable addresses" }, { "name": "EDR:file", "channel": "SetFileTime" }, { "name": "AndroidLogs:Kernel", "channel": "Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)" }, { "name": "android:logcat", "channel": "SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID" }, { "name": "iOS:unifiedlog", "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files" }, { "name": "android:logcat", "channel": "QUERY on exported ContentProviders of other packages (content:///*) or MediaStore scoped queries immediately preceding file reads" }, { "name": "android:logcat", "channel": "ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by " }, { "name": "android:logcat", "channel": "AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages" }, { "name": "android:logcat", "channel": "TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground" }, { "name": "android:logcat", "channel": "PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for . TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by " }, { "name": "iOS:unifiedlog", "channel": "LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes" }, { "name": "android:logcat", "channel": "getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks" }, { "name": "iOS:unifiedlog", "channel": "Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors" }, { "name": "android:logcat", "channel": "ACTION_VIEW redirect_uri handled by unexpected package" }, { "name": "android:logcat", "channel": "canOpenURL/LSApplicationWorkspace resolved to unexpected bundle for redirect_uri" }, { "name": "android:logcat", "channel": "query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)" }, { "name": "iOS:unifiedlog", "channel": "enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers" }, { "name": "android:logcat", "channel": "wifiservice startScan / scanResults retrieved repeatedly or by unexpected package" }, { "name": "android:logcat", "channel": "bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package" }, { "name": "android:logcat", "channel": "telephony cell info enumeration bursts (neighboring/all cell info) by package" }, { "name": "android:logcat", "channel": "repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)" }, { "name": "android:logcat", "channel": "Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)" }, { "name": "iOS:unifiedlog", "channel": "Application invokes UIDevice queries (model, systemVersion, name)" }, { "name": "android:logcat", "channel": "Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source" }, { "name": "iOS:unifiedlog", "channel": "Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls" }, { "name": "android:logcat", "channel": "Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs" }, { "name": "iOS:unifiedlog", "channel": "Application activates CoreLocation services or CLLocationManager APIs" }, { "name": "MobileEDR:telemetry", "channel": "Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction" }, { "name": "MobileEDR:telemetry", "channel": "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')" }, { "name": "MobileEDR:telemetry", "channel": "Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity" }, { "name": "MobileEDR:telemetry", "channel": "Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence" }, { "name": "MobileEDR:telemetry", "channel": "Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access" }, { "name": "MobileEDR:telemetry", "channel": "Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions" }, { "name": "MobileEDR:telemetry", "channel": "Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use" }, { "name": "MobileEDR:telemetry", "channel": "Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation" }, { "name": "MobileEDR:telemetry", "channel": "Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install" }, { "name": "MobileEDR:telemetry", "channel": "Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install" }, { "name": "MobileEDR:telemetry", "channel": "Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update" }, { "name": "MobileEDR:telemetry", "channel": "Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image" }, { "name": "android:logcat", "channel": "Invocation of Calendar.set() and Calendar.add()" }, { "name": "iOS:unifiedlog", "channel": "Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior" }, { "name": "MobileEDR:telemetry", "channel": "Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access" }, { "name": "iOS:unifiedlog", "channel": "Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior" }, { "name": "MobileEDR:telemetry", "channel": "App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication" }, { "name": "iOS:unifiedlog", "channel": "Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device" }, { "name": "MobileEDR:telemetry", "channel": "Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow" }, { "name": "iOS:unifiedlog", "channel": "Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence" }, { "name": "MobileEDR:telemetry", "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform" }, { "name": "iOS:unifiedlog", "channel": "Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform" }, { "name": "MobileEDR:telemetry", "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing" }, { "name": "android:logcat", "channel": "Invocation of CallLogs.getLastOutgoingCall()" }, { "name": "android:logcat", "channel": "Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()" }, { "name": "iOS:unifiedlog", "channel": "Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context" }, { "name": "android:logcat", "channel": "Invocation of AccountManager.getAccounts()" }, { "name": "MobileEDR:telemetry", "channel": "MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow" }, { "name": "MobileEDR:telemetry", "channel": "Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow" }, { "name": "MobileEDR:telemetry", "channel": "Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active" }, { "name": "MobileEDR:telemetry", "channel": "Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow" }, { "name": "MobileEDR:telemetry", "channel": "Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow" }, { "name": "MobileEDR:telemetry", "channel": "Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship" }, { "name": "MobileEDR:telemetry", "channel": "App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction" }, { "name": "MobileEDR:telemetry", "channel": "App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows" }, { "name": "MobileEDR:telemetry", "channel": "App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers" }, { "name": "MobileEDR:telemetry", "channel": "Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage" }, { "name": "MobileEDR:telemetry", "channel": "App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers" }, { "name": "MobileEDR:telemetry", "channel": "Keypair generation, import, or access events (public/private key usage) occurring prior to network communication" }, { "name": "MobileEDR:telemetry", "channel": "Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment" }, { "name": "MobileEDR:telemetry", "channel": "Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain" }, { "name": "MobileEDR:telemetry", "channel": "Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer" }, { "name": "MobileEDR:telemetry", "channel": "Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload" }, { "name": "MobileEDR:telemetry", "channel": "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase" }, { "name": "MobileEDR:telemetry", "channel": "Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission" }, { "name": "MobileEDR:telemetry", "channel": "Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain" }, { "name": "MobileEDR:telemetry", "channel": "Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment" }, { "name": "MobileEDR:telemetry", "channel": "Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation" }, { "name": "MobileEDR:telemetry", "channel": "Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase" }, { "name": "MobileEDR:telemetry", "channel": "Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase" }, { "name": "MobileEDR:telemetry", "channel": "Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase" }, { "name": "MobileEDR:telemetry", "channel": "Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase" }, { "name": "MobileEDR:telemetry", "channel": "Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase" }, { "name": "MobileEDR:telemetry", "channel": "Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases" }, { "name": "MobileEDR:telemetry", "channel": "Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase" }, { "name": "MobileEDR:telemetry", "channel": "Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase" }, { "name": "MobileEDR:telemetry", "channel": "application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior" }, { "name": "MobileEDR:telemetry", "channel": "Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase" }, { "name": "MobileEDR:telemetry", "channel": "application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events" }, { "name": "MobileEDR:telemetry", "channel": "application launches or executes code where loaded library or component path does not match application package path or expected signing context" }, { "name": "MobileEDR:telemetry", "channel": "multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval" }, { "name": "MobileEDR:telemetry", "channel": "device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)" }, { "name": "MobileEDR:telemetry", "channel": "application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant" }, { "name": "MobileEDR:telemetry", "channel": "application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation" }, { "name": "MobileEDR:telemetry", "channel": "application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed" }, { "name": "MobileEDR:telemetry", "channel": "application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match" }, { "name": "MobileEDR:telemetry", "channel": "application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition" }, { "name": "MobileEDR:telemetry", "channel": "application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match" }, { "name": "MobileEDR:telemetry", "channel": "application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression" }, { "name": "MobileEDR:telemetry", "channel": "application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence" }, { "name": "MobileEDR:telemetry", "channel": "application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation" }, { "name": "MobileEDR:telemetry", "channel": "application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground" }, { "name": "MobileEDR:telemetry", "channel": "application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state" }, { "name": "MobileEDR:telemetry", "channel": "application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss" }, { "name": "MobileEDR:telemetry", "channel": "application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss" }, { "name": "MobileEDR:telemetry", "channel": "application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0038", "external_id": "DC0038" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T19:46:47.171Z", "name": "Application Log Content", "description": "Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: \n\n- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).\n- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).\n- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.\n- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.\n- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "enterprise-attack", "mobile-attack" ], "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "android:logcat", "channel": "Default IME active or bound to (InputMethodManager reports imeId=)" }, { "name": "android:logcat", "channel": "Default IME changed/active: imeId=, onStartInput/onFinishInput high frequency. TYPE_APPLICATION_OVERLAY|addView .* showing on top of package " }, { "name": "android:logcat", "channel": "Default IME active imeId=; frequent onStartInput/commitText calls" }, { "name": "android:logcat", "channel": "addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over " }, { "name": "android:logcat", "channel": "Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn" }, { "name": "android:logcat", "channel": "Task switch from browser/custom tab to handler immediately after OAuth return" }, { "name": "android:logcat", "channel": "ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background" }, { "name": "Application Log", "channel": "None" }, { "name": "Application:Mail", "channel": "smtpd$.*$: .*from=[.*@internaldomain.com](mailto:.*@internaldomain.com) to=[.*@internaldomain.com](mailto:.*@internaldomain.com)" }, { "name": "Application:Mail", "channel": "Inbound messages with anomalous headers, spoofed SPF/DKIM failures" }, { "name": "Application:Mail", "channel": "Inbound emails containing hyperlinks from suspicious sources" }, { "name": "Application:Mail", "channel": "Inbound email attachments logged from MTAs with suspicious metadata" }, { "name": "Application:Mail", "channel": "Mismatch between authenticated username and From header in email" }, { "name": "Application:Mail", "channel": "High-frequency inbound mail activity to a specific recipient address" }, { "name": "ApplicationLog:API", "channel": "Docker/Kubernetes API access from external sources" }, { "name": "ApplicationLog:CallRecords", "channel": "Outbound or inbound calls to high-risk or blocklisted numbers" }, { "name": "ApplicationLog:EntraIDPortal", "channel": "DeviceRegistration events" }, { "name": "ApplicationLog:IIS", "channel": "IIS W3C logs in C:\\inetpub\\logs\\LogFiles\\W3SVC* (spikes in 5xx, RCE/SQLi/path traversal/JNDI patterns)" }, { "name": "ApplicationLog:Ingress", "channel": "Kubernetes NGINX/Envoy ingress controller logs with anomalous payloads and 5xx spikes" }, { "name": "ApplicationLog:Intune/MDM Logs", "channel": "Enrollment events (e.g., MDMDeviceRegistration)" }, { "name": "ApplicationLog:MailServer", "channel": "Unexpected additions of sieve rules or filtering directives" }, { "name": "ApplicationLog:Outlook", "channel": "Outlook client-level rule creation actions not consistent with normal user activity" }, { "name": "ApplicationLog:WebServer", "channel": "/var/log/httpd/access_log, /var/log/apache2/access.log, /var/log/nginx/access.log with exploit indicators and burst errors" }, { "name": "AWS:CloudTrail", "channel": "SendEmail" }, { "name": "AWS:CloudTrail", "channel": "InvokeModel" }, { "name": "AWS:CloudTrail", "channel": "InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows" }, { "name": "AWS:CloudTrail", "channel": "CreateUser|AttachRolePolicy|CreateAccessKey|UpdateAssumeRolePolicy|CreateLoginProfile" }, { "name": "AWS:CloudTrail", "channel": "StopLogging, DeleteTrail, UpdateTrail: API calls that disable or modify logging services" }, { "name": "AWS:CloudWatch", "channel": "Repeated crash pattern within container or instance logs" }, { "name": "AWS:CloudWatch", "channel": "Elevated 5xx response rates in application logs or gateway layer" }, { "name": "azure:activity", "channel": "Add role assignment / ElevateAccess / Create service principal" }, { "name": "azure:audit", "channel": "App registrations or consent grants by abnormal users or at unusual times" }, { "name": "azure:signinlogs", "channel": "ConsentGrant: Suspicious consent grants to non-approved or unknown applications" }, { "name": "azure:signinlogs", "channel": "Modify Conditional Access Policy" }, { "name": "azure:signinlogs", "channel": "Register PTA Agent or Modify AD FS trust" }, { "name": "azure:signinlogs", "channel": "Resource access initiated using application credentials, not user accounts" }, { "name": "docker:daemon", "channel": "container_create,container_start" }, { "name": "docker:events", "channel": "Container exited with non-zero code repeatedly in short period" }, { "name": "docker:runtime", "channel": "execution of cloud CLI tool (e.g., aws, az) inside container" }, { "name": "EDR:detection", "channel": "ThreatDetected, QuarantineLog" }, { "name": "EDR:detection", "channel": "ThreatLog" }, { "name": "esxi:esxupdate", "channel": "/var/log/esxupdate.log contains VIB installed with `--force` or `--no-sig-check` and non-standard acceptance levels" }, { "name": "esxi:hostd", "channel": "/var/log/hostd.log anomalies (faults, crashes, restarts) around inbound connections" }, { "name": "esxi:hostd", "channel": "Keywords: 'Backtrace','Signal 11','PANIC','hostd restarted','assert' or 'Service terminated unexpectedly' in /var/log/hostd.log, /var/log/vmkernel.log, /var/log/syslog.log." }, { "name": "esxi:hostd", "channel": "unexpected script/command invocations via hostd" }, { "name": "esxi:hostd", "channel": "Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest" }, { "name": "esxi:hostd", "channel": "unexpected script invocations producing long encoded strings" }, { "name": "esxi:hostd", "channel": "Host daemon command log entries related to vib enumeration" }, { "name": "esxi:hostd", "channel": "New extension/module install with unknown vendor ID" }, { "name": "esxi:vmkernel", "channel": "vmkernel / OpenSLP logs for malformed requests" }, { "name": "esxi:vpxd", "channel": "Symmetric crypto routines triggered for external session" }, { "name": "esxi:vpxd", "channel": "ESXi process initiating asymmetric handshake with external host" }, { "name": "gcp:workspaceaudit", "channel": "SendAs: Outbound messages with alias identities that differ from primary account" }, { "name": "iOS:unifiedlog", "channel": "Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging" }, { "name": "iOS:unifiedlog", "channel": "UIPasteboard read (general/string/data) by ; repeated reads or background access" }, { "name": "iOS:unifiedlog", "channel": "UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling" }, { "name": "iOS:unifiedlog", "channel": "Secure text entry focus and editingChanged bursts not typical for the app" }, { "name": "iOS:unifiedlog", "channel": "Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields" }, { "name": "iOS:unifiedlog", "channel": "Repeated canOpenURL checks across diverse schemes (\u2265N within short window)" }, { "name": "iOS:unifiedlog", "channel": "UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time" }, { "name": "iOS:unifiedlog", "channel": "repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts" }, { "name": "iOS:unifiedlog", "channel": "security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility)" }, { "name": "journald:Application", "channel": "Segfault or crash log entry associated with specific application binary" }, { "name": "journald:systemd", "channel": "Repeated service restart attempts or unit failures" }, { "name": "kubernetes:orchestrator", "channel": "Access to orchestrator logs containing credentials (Docker/Kubernetes logs)" }, { "name": "linux:cli", "channel": "cleared or truncated .bash_history" }, { "name": "linux:syslog", "channel": "usb * new|thunderbolt|pci .* added|block.*: new .* device" }, { "name": "linux:syslog", "channel": "Inbound messages from webmail services containing attachments or URLs" }, { "name": "linux:syslog", "channel": "kernel|systemd messages indicating 'segmentation fault'|'core dumped'|'service terminated unexpectedly' for sshd, smbd, vsftpd, mysqld, httpd, etc." }, { "name": "linux:syslog", "channel": "System daemons initiating encrypted sessions with unexpected destinations" }, { "name": "linux:syslog", "channel": "milter configuration updated, transport rule initialized, unexpected script execution" }, { "name": "linux:syslog", "channel": "Repetitive HTTP 408, 500, or 503 errors logged within short timeframe" }, { "name": "linux:syslog", "channel": "Application or browser logs (webview errors, plugin enumerations) indicating suspicious script evaluation or plugin loads" }, { "name": "linux:syslog", "channel": "processes binding to non-standard ports or sshd configured on unexpected port" }, { "name": "linux:syslog", "channel": "system daemons initiating TLS sessions outside expected services" }, { "name": "linux:syslog", "channel": "browser/office crash, segfault, abnormal termination" }, { "name": "linux:syslog", "channel": "Error/warning logs from services indicating load spike or worker exhaustion" }, { "name": "linux:syslog", "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched from_domain vs return_path_domain" }, { "name": "linux:syslog", "channel": "suspicious DHCP lease assignment with unexpected DNS or gateway" }, { "name": "linux:syslog", "channel": "opened document|clicked link|segfault|abnormal termination|sandbox" }, { "name": "linux:syslog", "channel": "Authentication attempts into finance-related servers from unusual IPs or times" }, { "name": "linux:syslog", "channel": "sshd sessions with unusual port forwarding parameters" }, { "name": "linux:syslog", "channel": "Non-standard processes negotiating SSL/TLS key exchanges" }, { "name": "linux:syslog", "channel": "Module registration or stacktrace logs indicating segmentation faults or unknown module errors" }, { "name": "linux:syslog", "channel": "Segfaults, kernel oops, or crashes in security software processes" }, { "name": "m365:exchange", "channel": "Emails containing cleartext secrets (password=, api_key=, token=) shared across internal/external domains" }, { "name": "m365:exchange", "channel": "Transport Rule Modification" }, { "name": "m365:exchange", "channel": "Admin Audit Logs, Transport Rules" }, { "name": "m365:exchange", "channel": "MailDelivery: High-frequency delivery of messages or attachments to a single recipient" }, { "name": "m365:exchange", "channel": "New-InboxRule: Automation that triggers abnormal forwarding or external link generation" }, { "name": "m365:exchange", "channel": "MessageTrace logs" }, { "name": "m365:exchange", "channel": "External sender message followed by user action involving links or attachments" }, { "name": "m365:mailboxaudit", "channel": "Outlook rule creation or custom form deployment" }, { "name": "m365:messagetrace", "channel": "AuthenticationDetails=fail OR SPF=fail OR DKIM=fail OR DMARC=fail" }, { "name": "m365:messagetrace", "channel": "X-MS-Exchange-Organization-AutoForwarded" }, { "name": "m365:purview", "channel": "MailItemsAccessed & Exchange Audit" }, { "name": "m365:purview", "channel": "MailItemsAccessed, Search-Mailbox events" }, { "name": "m365:teams", "channel": "External chat request or new tenant communication preceding approval activity" }, { "name": "m365:unified", "channel": "Unusual form activity within Outlook client, including load of non-default forms" }, { "name": "m365:unified", "channel": "SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed" }, { "name": "m365:unified", "channel": "SendOnBehalf, MessageSend, AttachmentPreviewed" }, { "name": "m365:unified", "channel": "Send/Receive: Emails with suspicious sender domains, spoofed headers, or anomalous attachment types" }, { "name": "m365:unified", "channel": "FileAccessed: Access of email attachments by Office applications" }, { "name": "m365:unified", "channel": "Creation or modification of inbox rule outside of normal user behavior" }, { "name": "m365:unified", "channel": "Send/Receive: Inbound emails containing embedded or shortened URLs" }, { "name": "m365:unified", "channel": "AppRegistration: Unexpected application registration or OAuth authorization" }, { "name": "m365:unified", "channel": "MessageSend, MessageRead, or FileAttached events containing credential-like patterns" }, { "name": "m365:unified", "channel": "Set-Mailbox, Add-InboxRule, RegisterWebhook" }, { "name": "m365:unified", "channel": "ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA" }, { "name": "m365:unified", "channel": "Application Consent grants, new OAuth client registrations, or unusual admin-level activities executed by a user account shortly after suspected drive-by compromise" }, { "name": "m365:unified", "channel": "Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder" }, { "name": "m365:unified", "channel": "PurgeAuditLogs, Remove-MailboxAuditLog" }, { "name": "m365:unified", "channel": "Set-CsOnlineUser or UpdateAuthPolicy" }, { "name": "m365:unified", "channel": "New-InboxRule or Set-InboxRule events recorded in Exchange Online" }, { "name": "m365:unified", "channel": "Transport rule or inbox rule creation events" }, { "name": "m365:unified", "channel": "GAL Lookup or Address Book download" }, { "name": "m365:unified", "channel": "Send/Receive: Inbound emails with attachments from suspicious or spoofed senders" }, { "name": "m365:unified", "channel": "certificate added or modified in application credentials" }, { "name": "m365:unified", "channel": "Unusual MFA requests or OAuth consent events temporally aligned with user-reported vishing call" }, { "name": "m365:unified", "channel": "Set federation settings on domain|Set domain authentication|Add federated identity provider" }, { "name": "m365:unified", "channel": "SendOnBehalf/SendAs: Emails sent where the sending identity mismatches account ownership" }, { "name": "m365:unified", "channel": "Set-MailboxAutoReplyConfiguration: Unexpected rule changes creating impersonated replies" }, { "name": "m365:unified", "channel": "SendOnBehalf/SendAs: Office Suite initiated messages using impersonated identities" }, { "name": "m365:unified", "channel": "Read-only configuration review from GUI" }, { "name": "m365:unified", "channel": "Modify Federation Settings or Update Authentication Policy" }, { "name": "m365:unified", "channel": "Send/Receive: Unusual spikes in inbound messages to a single recipient" }, { "name": "m365:unified", "channel": "PowerShell: Add-MailboxPermission" }, { "name": "m365:unified", "channel": "Add-MailboxPermission or Set-ManagementRoleAssignment" }, { "name": "m365:unified", "channel": "Set-PartnerOfRecord / CompanyAdministrator role assignments / New-DelegatedAdminRelationship" }, { "name": "m365:unified", "channel": "Add-DelegatedAdmin, Set-PartnerOfRecord, Add-MailboxPermission, Set-OrganizationRelationship" }, { "name": "m365:unified", "channel": "MailSend: Outlook messages with suspicious subject/body terms (e.g., urgent payment, wire transfer) targeting finance teams" }, { "name": "m365:unified", "channel": "FileAccessed, FileDownloaded, SearchQueried" }, { "name": "m365:unified", "channel": "Detection of hidden macro streams or SetHiddenAttribute actions" }, { "name": "m365:unified", "channel": "RunMacro" }, { "name": "m365:unified", "channel": "FileUploaded or FileCopied events" }, { "name": "m365:unified", "channel": "TeamsMessageAccess, TeamsExport, ExternalAppAccess" }, { "name": "m365:unified", "channel": "TeamsMessagesAccessedViaEDiscovery, TeamsGraphMessageExport" }, { "name": "m365:unified", "channel": "FileAccessed" }, { "name": "m365:unified", "channel": "ApplicationModified, ConsentGranted: Unexpected app consent or modification events linked to security evasion" }, { "name": "m365:unified", "channel": "MailItemsAccessed; AddedInboxRule; ConsentToApplication; SharingSet" }, { "name": "m365:unified", "channel": "Set-AdminAuditLogConfig;New-ApplicationAccessPolicy;ConsentToApplication" }, { "name": "macos:jamf", "channel": "RemoteCommandExecution" }, { "name": "macos:unifiedlog", "channel": "Device attached|enumerated VID/PID" }, { "name": "macos:unifiedlog", "channel": "Inbound email activity with suspicious domains or mismatched sender information" }, { "name": "macos:unifiedlog", "channel": "App/web server logs ingested via unified logging or filebeat (nginx/apache/node)." }, { "name": "macos:unifiedlog", "channel": "Received messages with embedded or shortened URLs" }, { "name": "macos:unifiedlog", "channel": "Received messages containing embedded links or attachments from non-enterprise services" }, { "name": "macos:unifiedlog", "channel": "process 'crashed'|'EXC_BAD_ACCESS' for sshd, screensharingd, httpd; launchd restarts of these daemons." }, { "name": "macos:unifiedlog", "channel": "opendirectoryd crashes or abnormal authentication errors" }, { "name": "macos:unifiedlog", "channel": "Logs from unifiedlogging that show browser crashes, plugin enumerations, extension installs or errors around the same time as suspicious network fetches" }, { "name": "macos:unifiedlog", "channel": "log stream cleared or truncated" }, { "name": "macos:unifiedlog", "channel": "quarantine or AV-related subsystem" }, { "name": "macos:unifiedlog", "channel": "Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console" }, { "name": "macos:unifiedlog", "channel": "Inbound messages with attachments from suspicious domains" }, { "name": "macos:unifiedlog", "channel": "Outgoing or incoming calls with non-standard caller IDs or unusual metadata" }, { "name": "macos:unifiedlog", "channel": "Mail.app or third-party clients sending messages with mismatched From headers" }, { "name": "macos:unifiedlog", "channel": "process crash, abort, code signing violations" }, { "name": "macos:unifiedlog", "channel": "Configuration profile modified or new profile installed" }, { "name": "macos:unifiedlog", "channel": "Crash log entries for a process receiving malformed input or known exploit patterns" }, { "name": "macos:unifiedlog", "channel": "Repetitive inbound email delivery activity logged within a short time window" }, { "name": "macos:unifiedlog", "channel": "Application errors or resource contention from excessive frontend or script invocation" }, { "name": "macos:unifiedlog", "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched header vs envelope domains" }, { "name": "macos:unifiedlog", "channel": "new DHCP configuration with anomalous DNS or router values" }, { "name": "macos:unifiedlog", "channel": "Mail or AppleScript subsystem" }, { "name": "macos:unifiedlog", "channel": "opened document|clicked link|EXC_BAD_ACCESS|abort|LSQuarantine" }, { "name": "macos:unifiedlog", "channel": "Anomalous keychain access attempts targeting payment credentials" }, { "name": "macos:unifiedlog", "channel": "Abnormal terminations of com.apple.security.* or 3rd-party security daemons" }, { "name": "networkdevice:controlplane", "channel": "Syslog from edge devices with HTTP 500s on mgmt portal, SmartInstall events, unexpected CLI commands" }, { "name": "networkdevice:syslog", "channel": "config push events" }, { "name": "networkdevice:syslog", "channel": "SIP REGISTER, INVITE, or unusual call destination metadata" }, { "name": "networkdevice:syslog", "channel": "Failed authentication requests redirected to non-standard portals" }, { "name": "NSM:Connections", "channel": "PushNotificationSent" }, { "name": "NSM:Connections", "channel": "Failed password or accepted password for SSH users" }, { "name": "saas:Airtable", "channel": "EXPORT: User-triggered data export via GUI or API" }, { "name": "saas:application", "channel": "High-frequency invocation of SMS-related API endpoints from publicly accessible OTP or verification forms (e.g., Twilio: SendMessage, Cognito: AdminCreateUser) with irregular destination patterns." }, { "name": "saas:application", "channel": "High-volume API calls or traffic via messaging or webhook service" }, { "name": "saas:audit", "channel": "Rule/ConfigChange: Auto-forward rules, delegate assignments, or changes to financial approval workflows" }, { "name": "saas:audit", "channel": "Application added or consent granted: Integration persisting after original user disabled" }, { "name": "saas:box", "channel": "User navigated to admin interface" }, { "name": "saas:collaboration", "channel": "MessagePosted: Suspicious links or attachment delivery via collaboration tools (Slack, Teams, Zoom)" }, { "name": "saas:confluence", "channel": "access.content" }, { "name": "saas:email", "channel": "AuthenticationFailures (SPF/DKIM/DMARC) OR Domain Mismatch" }, { "name": "saas:finance", "channel": "Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts" }, { "name": "saas:github", "channel": "Bulk access to multiple files or large volume of repo requests within short time window" }, { "name": "saas:gmail", "channel": "SendEmail, OpenAttachment, ClickLink" }, { "name": "saas:googledrive", "channel": "FileOpen / FileAccess: Event-driven script triggering on user file actions" }, { "name": "saas:googleworkspace", "channel": "OAuth2 authorization grants / Admin role assignments" }, { "name": "saas:hubspot", "channel": "contact_viewed, contact_exported, login" }, { "name": "saas:okta", "channel": "Conditional Access policy rule modified or MFA requirement disabled" }, { "name": "saas:okta", "channel": "MFAChallengeIssued" }, { "name": "saas:okta", "channel": "WebUI access to administrator dashboard" }, { "name": "saas:okta", "channel": "Federation configuration update or signing certificate change" }, { "name": "saas:okta", "channel": "System API Call: user.read, group.read" }, { "name": "saas:okta", "channel": "policy.rule.update;system.log.disable;admin.role.assign" }, { "name": "saas:openai", "channel": "High volume of requests to /v1/chat/completions or /v1/images/generations" }, { "name": "saas:salesforce", "channel": "DataExport, RestAPI, Login, ReportExport" }, { "name": "saas:slack", "channel": "file_upload, message_send, message_click" }, { "name": "saas:slack", "channel": "chat.postMessage, files.upload, or discovery API calls involving token/credential regex" }, { "name": "saas:slack", "channel": "OAuth token use by unknown app client_id accessing private channels or files" }, { "name": "saas:slack", "channel": "conversations.history, files.list, users.info, audit_logs" }, { "name": "saas:slack", "channel": "xternal DM or workspace invite preceding credential or approval actions" }, { "name": "saas:Snowflake", "channel": "QUERY: Large or repeated SELECT * queries to sensitive tables" }, { "name": "saas:teams", "channel": "ChatMessageSent, ChatMessageEdited, LinkClick" }, { "name": "saas:zoom", "channel": "unusual web session tokens and automation patterns during login" }, { "name": "saas:zoom", "channel": "Unexpected contact interaction preceding follow-on admin requests" }, { "name": "WinEventLog:Application", "channel": "Outlook errors loading or processing custom form templates" }, { "name": "WinEventLog:Application", "channel": "Office Add-in load errors, abnormal loading context, or unsigned add-in warnings" }, { "name": "WinEventLog:Application", "channel": "Outlook rule execution failure or abnormal rule execution context" }, { "name": "WinEventLog:Application", "channel": "Exchange Transport Service loads unusual .NET assembly or errors upon transport agent execution" }, { "name": "WinEventLog:Application", "channel": "Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs" }, { "name": "WinEventLog:Application", "channel": "Browser or plugin/application logs showing script errors, plugin enumerations, or unusual extension load events" }, { "name": "WinEventLog:Application", "channel": "Outlook logs indicating failure to load or render HTML page in Home Page view" }, { "name": "WinEventLog:Application", "channel": "EventCode=1000" }, { "name": "WinEventLog:Application", "channel": "Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server)" }, { "name": "WinEventLog:Application", "channel": "SCCM, Intune logs" }, { "name": "WinEventLog:Application", "channel": "Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files" }, { "name": "WinEventLog:Application", "channel": "VPN, Citrix, or remote access gateway logs showing external IP addresses" }, { "name": "WinEventLog:Application", "channel": "Outlook rule creation, form load, or homepage redirection" }, { "name": "WinEventLog:Application", "channel": "High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite)" }, { "name": "WinEventLog:Application", "channel": "Exchange logs or header artifacts" }, { "name": "WinEventLog:Application", "channel": "Unusual DLL/plugin registration for IIS/SQL/Apache or unexpected error logs" }, { "name": "WinEventLog:Security", "channel": "EventCode=6416" }, { "name": "WinEventLog:Security", "channel": "EventCode=1102" }, { "name": "WinEventLog:Security", "channel": "EventCode=4663, 4670, 4656" }, { "name": "WinEventLog:System", "channel": "Changes to applicationhost.config or DLLs loaded by w3wp.exe" }, { "name": "WinEventLog:System", "channel": "Device started/installed (UMDF) GUIDs" }, { "name": "WinEventLog:System", "channel": "EventCode=1000" }, { "name": "WinEventLog:System", "channel": "EventCode=104" }, { "name": "WinEventLog:System", "channel": "EventCode=1341, 1342, 1020, 1063" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0078", "external_id": "DC0078" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T17:32:30.362Z", "name": "Network Traffic Flow", "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "mobile-attack", "enterprise-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Network Traffic", "channel": "None" }, { "name": "macos:osquery", "channel": "socket_events" }, { "name": "NSM:Flow", "channel": "Unexpected flows between segmented networks or prohibited ports" }, { "name": "snmp:config", "channel": "Configuration change traps or policy enforcement failures" }, { "name": "NSM:Flow", "channel": "First-time outbound connections to package registries or unknown hosts immediately after restore/build" }, { "name": "NSM:Flow", "channel": "First-time egress to new registries/CDNs post-install/build" }, { "name": "NSM:Flow", "channel": "First-time egress to non-approved registries after dependency install" }, { "name": "NSM:Flow", "channel": "Outbound connections to TCP 139,445 and HTTP/HTTPS to WebDAV endpoints from workstation subnets" }, { "name": "NSM:Flow", "channel": "large outbound data flows or long-duration connections" }, { "name": "AWS:VPCFlowLogs", "channel": "egress > 90th percentile or frequent connection reuse" }, { "name": "NSM:Flow", "channel": "conn.log" }, { "name": "auditd:SYSCALL", "channel": "socket/connect" }, { "name": "esxi:syslog", "channel": "esxcli network vswitch or DNS resolver configuration updates" }, { "name": "esxi:vobd", "channel": "Network Events" }, { "name": "iptables:LOG", "channel": "TCP connections" }, { "name": "NSM:Flow", "channel": "connection metadata" }, { "name": "wineventlog:dhcp", "channel": "DHCP Lease Granted" }, { "name": "NSM:Flow", "channel": "LEASE_GRANTED" }, { "name": "NSM:Flow", "channel": "MAC not in allow-list acquiring IP (DHCP)" }, { "name": "Windows Firewall Log", "channel": "SMB over high port" }, { "name": "NSM:Connections", "channel": "Internal connection logging" }, { "name": "NSM:Flow", "channel": "pf firewall logs" }, { "name": "esxi:vmkernel", "channel": "/var/log/vmkernel.log" }, { "name": "NSM:Flow", "channel": "Inter-segment traffic" }, { "name": "NSM:Flow", "channel": "None" }, { "name": "NSM:Flow", "channel": "Long-lived or hijacked SSH sessions maintained with no active user activity" }, { "name": "AWS:VPCFlowLogs", "channel": "VPC/NSG flow logs for pod/instance egress to Internet or metadata" }, { "name": "macos:unifiedlog", "channel": "Suspicious outbound traffic from browser binary to non-standard domains" }, { "name": "NSM:Flow", "channel": "Abnormal browser traffic volume or destination" }, { "name": "NSM:Flow", "channel": "Outbound requests to domains not previously resolved or associated with phishing campaigns" }, { "name": "NSM:Flow", "channel": "Outbound traffic to domains/IPs not previously resolved, occurring shortly after attachment download or link click" }, { "name": "M365Defender:DeviceNetworkEvents", "channel": "NetworkConnection: bytes_sent >> bytes_received anomaly" }, { "name": "PF:Logs", "channel": "outbound flows with bytes_out >> bytes_in" }, { "name": "NSX:FlowLogs", "channel": "network_flow: bytes_out >> bytes_in to external" }, { "name": "NSM:Flow", "channel": "NetFlow/Zeek conn.log" }, { "name": "AWS:VPCFlowLogs", "channel": "Outbound data flows" }, { "name": "NSM:Flow", "channel": "Flow records with entropy signatures resembling symmetric encryption" }, { "name": "NSM:Flow", "channel": "flow records" }, { "name": "networkdevice:syslog", "channel": "flow records" }, { "name": "macos:unifiedlog", "channel": "HTTPS POST to known webhook URLs" }, { "name": "saas:api", "channel": "Webhook registrations or repeated POST activity" }, { "name": "NSM:Flow", "channel": "Source/destination IP translation inconsistent with intended policy" }, { "name": "SNMP:DeviceLogs", "channel": "Unexpected NAT translation statistics or rule insertion events" }, { "name": "NSM:Flow", "channel": "Sudden spike in incoming flows to web service ports from single/multiple IPs" }, { "name": "AWS:VPCFlowLogs", "channel": "Unusual volume of inbound packets from single source across short time interval" }, { "name": "NSM:Flow", "channel": "port 5900 inbound" }, { "name": "NSM:Flow", "channel": "TCP port 5900 open" }, { "name": "NSM:firewall", "channel": "inbound connection to port 5900" }, { "name": "NSM:Firewall", "channel": "Outbound connections to 139/445 to multiple destinations" }, { "name": "VPCFlowLogs:All", "channel": "High volume internal traffic with low entropy indicating looped or malicious DoS script" }, { "name": "NSM:Flow", "channel": "NetFlow/sFlow/PCAP" }, { "name": "NSM:Flow", "channel": "Outbound Network Flow" }, { "name": "macos:unifiedlog", "channel": "com.apple.network" }, { "name": "NSM:Flow", "channel": "Device-to-Device Deployment Flows" }, { "name": "auditd:SYSCALL", "channel": "socket/connect syscalls" }, { "name": "macos:unifiedlog", "channel": "outbound TCP/UDP traffic over unexpected port" }, { "name": "esxi:vpxd", "channel": "ESXi service connections on unexpected ports" }, { "name": "iptables:LOG", "channel": "OUTBOUND" }, { "name": "macos:unifiedlog", "channel": "tcp/udp" }, { "name": "esxi:hostd", "channel": "CLI network calls" }, { "name": "NSM:Flow", "channel": "Outbound traffic from suspicious new processes post-attachment execution" }, { "name": "macos:unifiedlog", "channel": "Suspicious anomalies in transmitted data integrity during application network operations" }, { "name": "esxi:syslog", "channel": "DNS resolution events leading to outbound traffic on unexpected ports" }, { "name": "NSM:Flow", "channel": "Outbound traffic to mining pools or proxies" }, { "name": "AWS:VPCFlowLogs", "channel": "Outbound flow logs to known mining pools" }, { "name": "container:cni", "channel": "Outbound network traffic to mining proxies" }, { "name": "esxi:vpxd", "channel": "TLS session established by ESXi service to unapproved endpoint" }, { "name": "NSM:Flow", "channel": "Session records with TLS-like byte patterns" }, { "name": "macos:unifiedlog", "channel": "HTTPS POST requests to pastebin.com or similar" }, { "name": "NetFlow:Flow", "channel": "new outbound connections from exploited process tree" }, { "name": "NSM:Connections", "channel": "new connections from exploited lineage" }, { "name": "NSM:Flow", "channel": "Unexpected route changes or duplicate gateway advertisements" }, { "name": "WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", "channel": "EventCode=2004, 2005, 2006" }, { "name": "NSM:Flow", "channel": "Knock pattern: repeated REJ/S0 across \u2265MinSequenceLen ports from same src_ip then SF success." }, { "name": "macos:unifiedlog", "channel": "Firewall/PF anchor load or rule change events." }, { "name": "networkdevice:syslog", "channel": "Config/ACL changes, line vty transport input changes, telnet/ssh/http(s) enable, image/feature module changes." }, { "name": "NSM:Flow", "channel": "First-time egress to non-approved update hosts right after install/update" }, { "name": "NSM:Flow", "channel": "New outbound flows to non-approved vendor hosts post install" }, { "name": "NSM:Flow", "channel": "New/rare egress to non-approved update hosts after install" }, { "name": "NSM:Flow", "channel": "large outbound HTTPS uploads to repo domains" }, { "name": "esxi:vmkernel", "channel": "HTTPS traffic to repository domains" }, { "name": "NSM:Flow", "channel": "alert log" }, { "name": "esxi:vmkernel", "channel": "None" }, { "name": "NSM:Flow", "channel": "Outbound flow records" }, { "name": "m365:defender", "channel": "NetworkConnection: high out:in ratio, periodic beacons, protocol mismatch" }, { "name": "PF:Logs", "channel": "high out:in ratio or fixed-size periodic flows" }, { "name": "NSM:Flow", "channel": "network_flow: bytes_out >> bytes_in, fixed packet sizes/intervals to non-approved CIDRs" }, { "name": "auditd:SYSCALL", "channel": "connect or sendto system call with burst pattern" }, { "name": "macos:unifiedlog", "channel": "sudden burst in outgoing packets from same PID" }, { "name": "AWS:VPCFlowLogs", "channel": "source instance sends large volume of traffic in short window" }, { "name": "NSM:Flow", "channel": "session stats with bytes_out > bytes_in" }, { "name": "NIDS:Flow", "channel": "session stats with bytes_out > bytes_in" }, { "name": "esxi:vpxa", "channel": "connection attempts and data transmission logs" }, { "name": "PF:Logs", "channel": "External traffic to remote access services" }, { "name": "NSM:Flow", "channel": "High volumes of SYN/ACK packets with unacknowledged TCP handshakes" }, { "name": "dns:query", "channel": "Outbound resolution to hidden service domains (e.g., `.onion`)" }, { "name": "NSM:Flow", "channel": "conn.log + ssl.log with Tor fingerprinting" }, { "name": "macos:unifiedlog", "channel": "forwarded encrypted traffic" }, { "name": "NSM:Flow", "channel": "Relayed session pathing (multi-hop)" }, { "name": "NSM:Flow", "channel": "Outbound TCP SYN or UDP to multiple ports/hosts" }, { "name": "containerd:runtime", "channel": "container-level outbound traffic events" }, { "name": "WLANLogs:Association", "channel": "Multiple APs advertising the same SSID but with different BSSID/MAC or encryption type" }, { "name": "linux:osquery", "channel": "socket_events" }, { "name": "WinEventLog:Security", "channel": "ARP cache modification attempts observed through event tracing or security baselines" }, { "name": "NSM:Flow", "channel": "Gratuitous ARP replies with mismatched IP-MAC binding" }, { "name": "macos:unifiedlog", "channel": "ARP table updates inconsistent with expected gateway or DHCP lease assignments" }, { "name": "macos:unifiedlog", "channel": "networkd or com.apple.network" }, { "name": "macos:unifiedlog", "channel": "log stream 'eventMessage contains \"dns_request\"'" }, { "name": "esxi:syslog", "channel": "/var/log/syslog.log" }, { "name": "AWS:CloudTrail", "channel": "CreateTrafficMirrorSession or ModifyTrafficMirrorTarget" }, { "name": "networkdevice:syslog", "channel": "Config change: CLI/NETCONF/SNMP \u2013 'monitor session', 'mirror port'" }, { "name": "NSM:Flow", "channel": "Outbound UDP floods targeting common reflection services with spoofed IP headers" }, { "name": "macos:unifiedlog", "channel": "Outbound UDP spikes to external reflector IPs" }, { "name": "AWS:VPCFlowLogs", "channel": "Large outbound UDP traffic to multiple public reflector IPs" }, { "name": "macos:unifiedlog", "channel": "High entropy domain queries with multiple NXDOMAINs" }, { "name": "esxi:syslog", "channel": "Frequent DNS queries with high entropy names or NXDOMAIN results" }, { "name": "vpxd.log", "channel": "API communication" }, { "name": "NSM:Connections", "channel": "Outbound Connection" }, { "name": "NSM:Flow", "channel": "Connection Tracking" }, { "name": "NSM:Firewall", "channel": "pf firewall logs" }, { "name": "NSM:Flow", "channel": "Flow Creation (NetFlow/sFlow)" }, { "name": "NSM:Flow", "channel": "conn.log, icmp.log" }, { "name": "NSM:Flow", "channel": "Abnormal SMB authentication attempts correlated with poisoned LLMNR/NBT-NS sessions" }, { "name": "NSM:Flow", "channel": "Gratuitous or duplicate DHCP OFFER packets from non-legitimate servers" }, { "name": "NSM:Connections", "channel": "Inbound on ports 5985/5986" }, { "name": "linux:syslog", "channel": "Multiple IP addresses assigned to the same domain in rapid sequence" }, { "name": "macos:unifiedlog", "channel": "Rapid domain-to-IP resolution changes for same domain" }, { "name": "esxi:syslog", "channel": "Frequent DNS resolution of same domain with rotating IPs" }, { "name": "NSM:Flow", "channel": "uncommon ports" }, { "name": "NSM:Flow", "channel": "alternate ports" }, { "name": "esxi:vpxd", "channel": "None" }, { "name": "NSM:Flow", "channel": "conn.log or flow data" }, { "name": "esxi:vmkernel", "channel": "egress log analysis" }, { "name": "esxi:vmkernel", "channel": "egress logs" }, { "name": "NSM:Flow", "channel": "High volume flows with incomplete TCP sessions or single-packet bursts" }, { "name": "NSM:Flow", "channel": "Knock pattern: multiple REJ/S0 to distinct closed ports then successful connection to service_port" }, { "name": "macos:unifiedlog", "channel": "Firewall rule enable/disable or listen socket changes" }, { "name": "networkdevice:syslog", "channel": "Config/ACL/line vty changes, service enable (telnet/ssh/http(s)), module reloads" }, { "name": "auditd:SYSCALL", "channel": "ioctl: Changes to wireless network interfaces (up, down, reassociate)" }, { "name": "macos:osquery", "channel": "query: Historical list of associated SSIDs compared against baseline" }, { "name": "NSM:Flow", "channel": "First-time egress from host after new install to unknown update endpoints" }, { "name": "NSM:Flow", "channel": "First-time egress to unknown registries/mirrors immediately after install" }, { "name": "NSM:Flow", "channel": "New egress from app just installed to unknown update endpoints" }, { "name": "esxi:vpxd", "channel": "ESXi processes relaying traffic via SSH or unexpected ports" }, { "name": "NSM:Flow", "channel": "Outbound connection to mining pool port (3333, 4444, 5555)" }, { "name": "NSM:Flow", "channel": "Outbound traffic to mining pool upon container launch" }, { "name": "NSM:Flow", "channel": "Flow records with RSA key exchange on unexpected port" }, { "name": "NSM:Flow", "channel": "Outbound connections from web server binaries (apache2, nginx, php-fpm) to unknown external IPs" }, { "name": "NSM:Flow", "channel": "sustained outbound HTTPS sessions with high data volume" }, { "name": "NSM:Flow", "channel": "Connections from IDE hosts to marketplace/tunnel domains" }, { "name": "macos:unifiedlog", "channel": "Outbound connections from IDE processes to marketplace/tunnel domains" }, { "name": "NSM:Flow", "channel": "large HTTPS outbound uploads" }, { "name": "esxi:vmkernel", "channel": "network flows to external cloud services" }, { "name": "NSM:Flow", "channel": "TCP port 22 traffic" }, { "name": "esxi:vmkernel", "channel": "port 22 access" }, { "name": "TelecomLogs:MobilityEvents", "channel": "Unexpected location resolution events or abnormal subscriber tracking requests" }, { "name": "TelecomLogs:MobilityEvents", "channel": "Unexpected subscriber tracking or abnormal mobility/location resolution activity" }, { "name": "NSM:Flow", "channel": "Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns" }, { "name": "NSM:Flow", "channel": "App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0002", "external_id": "DC0002" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T19:47:33.610Z", "name": "User Account Authentication", "description": "An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "enterprise-attack", "mobile-attack" ], "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "auditd:AUTH", "channel": "pam_unix or pam_google_authenticator invoked repeatedly within short interval" }, { "name": "auditd:SYSCALL", "channel": "pam_authenticate, sshd" }, { "name": "auditd:SYSCALL", "channel": "execution of ssh, scp, or sftp using previously unseen credentials or keys" }, { "name": "auditd:USER_LOGIN", "channel": "USER_AUTH" }, { "name": "AWS:CloudTrail", "channel": "AssumeRole or ConsoleLogin with repeated MFA failures followed by repeated MFA requests" }, { "name": "AWS:CloudTrail", "channel": "sts:GetFederationToken" }, { "name": "AWS:CloudTrail", "channel": "AssumeRoleWithWebIdentity" }, { "name": "AWS:CloudTrail", "channel": "AWS IAM: ListUsers, ListRoles" }, { "name": "AWS:CloudTrail", "channel": "eventName=ConsoleLogin | eventType=AwsConsoleSignIn" }, { "name": "AWS:CloudTrail", "channel": "ConsoleLogin or AssumeRole" }, { "name": "AWS:CloudTrail", "channel": "ConsoleLogin, AssumeRole, ListAccessKeys, CreateUser" }, { "name": "azure:signinlogs", "channel": "Success logs from high-risk accounts" }, { "name": "azure:signinlogs", "channel": "Multiple MFA challenge requests without successful primary login" }, { "name": "azure:signinlogs", "channel": "TokenIssued, TokenRenewed: Unexpected or anomalous token issuance events" }, { "name": "azure:signinlogs", "channel": "SignIn: Sign-ins flagged as atypical (new geographic region, unfamiliar device id) shortly after correlated endpoint/browser compromise times" }, { "name": "azure:signinlogs", "channel": "Operation=UserLogin" }, { "name": "azure:signinlogs", "channel": "Unusual Token Usage or Application Consent" }, { "name": "azure:signinlogs", "channel": "OperationName=SetDomainAuthentication OR Set-FederatedDomain" }, { "name": "azure:signinlogs", "channel": "Sign-in with unfamiliar location/device + portal navigation" }, { "name": "azure:signinlogs", "channel": "Login from newly created account" }, { "name": "azure:signinlogs", "channel": "Interactive/Non-Interactive Sign-In" }, { "name": "azure:signinlogs", "channel": "Reset password or download key from portal" }, { "name": "azure:signinlogs", "channel": "status = failure" }, { "name": "azure:signinlogs", "channel": "Sign-in logs" }, { "name": "azure:signinlogs", "channel": "SigninSuccess" }, { "name": "azure:signinlogs", "channel": "Failure Reason + UserPrincipalName" }, { "name": "azure:signinlogs", "channel": "Sign-in activity" }, { "name": "azure:signinlogs", "channel": "Sign-in logs / audit events" }, { "name": "esxi:auth", "channel": "interactive shell or SSH access preceding storage enumeration" }, { "name": "esxi:auth", "channel": "/var/log/auth.log" }, { "name": "esxi:auth", "channel": "SSH session/login" }, { "name": "esxi:vpxa", "channel": "user login from unexpected IP or non-admin user role" }, { "name": "esxi:vpxd", "channel": "/var/log/vmware/vpxd.log" }, { "name": "ESXiLogs:authlog", "channel": "Unexpected login followed by encoding commands" }, { "name": "gcp:audit", "channel": "drive.activity" }, { "name": "gcp:audit", "channel": "login.event" }, { "name": "gcp:audit", "channel": "Sign-in logs / audit events" }, { "name": "gcp:workspaceaudit", "channel": "Token Generation via Domain Delegation" }, { "name": "GCPAuditLogs:login.googleapis.com", "channel": "Failed sign-in events" }, { "name": "kubernetes:apiserver", "channel": "get/list requests to /api/v1/secrets or /api/v1/namespaces/*/serviceaccounts" }, { "name": "kubernetes:apiserver", "channel": "authentication.k8s.io/v1beta1" }, { "name": "kubernetes:audit", "channel": "Failed login" }, { "name": "kubernetes:audit", "channel": "authentication.k8s.io" }, { "name": "linux:auth", "channel": "sshd login" }, { "name": "linux:syslog", "channel": "sudo/date/timedatectl execution by non-standard users" }, { "name": "linux:syslog", "channel": "SSH failed login" }, { "name": "linux:syslog", "channel": "Failed password for invalid user" }, { "name": "linux:syslog", "channel": "sshd[pid]: Failed password" }, { "name": "linux:syslog", "channel": "authentication and authorization events during environmental validation phase" }, { "name": "m365:exchange", "channel": "Logon failure" }, { "name": "m365:exchange", "channel": "FailedLogin" }, { "name": "m365:signinlogs", "channel": "Sign-in from anomalous location or impossible travel condition" }, { "name": "m365:signinlogs", "channel": "UserLoginSuccess" }, { "name": "m365:signinlogs", "channel": "Unusual sign-in from service principal to user mailbox" }, { "name": "m365:unified", "channel": "Delegated permission grants without user login event" }, { "name": "m365:unified", "channel": "login using refresh_token with no preceding authentication context" }, { "name": "m365:unified", "channel": "Sign-in logs" }, { "name": "macos:unifiedlog", "channel": "successful sudo or authentication for account not normally associated with admin actions" }, { "name": "macos:unifiedlog", "channel": "Login success without MFA step" }, { "name": "macos:unifiedlog", "channel": "log show --predicate 'eventMessage contains \"Authentication\"'" }, { "name": "macos:unifiedlog", "channel": "User credential prompt events without associated trusted installer package" }, { "name": "macos:unifiedlog", "channel": "Login failure / authorization denied" }, { "name": "macos:unifiedlog", "channel": "auth" }, { "name": "macos:unifiedlog", "channel": "Login Window and Authd errors" }, { "name": "macos:unifiedlog", "channel": "authd" }, { "name": "network:auth", "channel": "repeated successful authentications with previously unknown accounts or anomalous password acceptance" }, { "name": "networkdevice:syslog", "channel": "config access, authentication logs" }, { "name": "networkdevice:syslog", "channel": "User privilege escalation to level 15/root prior to destructive commands" }, { "name": "networkdevice:syslog", "channel": "authorization/accounting logs" }, { "name": "networkdevice:syslog", "channel": "Failed and successful logins to network devices outside approved admin IP ranges" }, { "name": "networkdevice:syslog", "channel": "Privileged login followed by destructive format command" }, { "name": "networkdevice:syslog", "channel": "admin login events" }, { "name": "networkdevice:syslog", "channel": "Privileged login followed by destructive command sequence" }, { "name": "networkdevice:syslog", "channel": "AAA, RADIUS, or TACACS authentication" }, { "name": "networkdevice:syslog", "channel": "authentication logs" }, { "name": "networkdevice:syslog", "channel": "AAA or TACACS authentication failures" }, { "name": "networkdevice:syslog", "channel": "authentication & authorization" }, { "name": "networkdevice:syslog", "channel": "login failed" }, { "name": "NSM:Connections", "channel": "Accepted password or publickey for user from remote IP" }, { "name": "NSM:Connections", "channel": "Repeated failed authentication attempts or replay patterns" }, { "name": "NSM:Connections", "channel": "Successful login without expected MFA challenge" }, { "name": "NSM:Connections", "channel": "sshd or PAM logins" }, { "name": "NSM:Flow", "channel": "TGS-REQ and AS-REQ seen for new user shortly after domain-modifying process" }, { "name": "Okta:authn", "channel": "authentication_failure" }, { "name": "Okta:SystemLog", "channel": "eventType: user.authentication.sso, app.oauth2.token.grant" }, { "name": "saas-app:auth", "channel": "login_failure" }, { "name": "saas:audit", "channel": "Repeated requests to SMS-generating endpoints using anomalous or new user agents, IP ranges, or geographies." }, { "name": "saas:auth", "channel": "signin_failed" }, { "name": "saas:googleworkspace", "channel": "API access without user login" }, { "name": "saas:googleworkspace", "channel": "Accessed third-party credential management service" }, { "name": "saas:googleworkspace", "channel": "login with reused session token and mismatched user agent or IP" }, { "name": "saas:googleworkspace", "channel": "Access via OAuth credentials with unusual scopes or from anomalous IPs" }, { "name": "saas:MDM", "channel": "Authentication events to device management or enterprise mobility management consoles" }, { "name": "saas:MDM", "channel": "Authentication events to Apple iCloud or enterprise device management services" }, { "name": "saas:okta", "channel": "session.impersonation.start" }, { "name": "saas:okta", "channel": "Unusual OAuth app requesting message-read scopes for Slack/Teams/Jira" }, { "name": "saas:okta", "channel": "authentication_failure" }, { "name": "saas:okta", "channel": "Sign-in logs / audit events" }, { "name": "saas:okta", "channel": "user.account.reset_password; user.mfa.factor.activate; app.oauth2.authorize" }, { "name": "saas:salesforce", "channel": "API login using access_token without login history" }, { "name": "saas:salesforce", "channel": "Login" }, { "name": "User Account", "channel": "None" }, { "name": "WinEventLog:Security", "channel": "EventCode=4625" }, { "name": "WinEventLog:Security", "channel": "EventCode=4769, 1200, 1202" }, { "name": "WinEventLog:Security", "channel": "EventCode=4768, 4769, 4770" }, { "name": "WinEventLog:Security", "channel": "EventCode=4769" }, { "name": "WinEventLog:Security", "channel": "EventCode=4776, 4625" }, { "name": "WinEventLog:Security", "channel": "EventCode=4625, 4771, 4648" }, { "name": "WinEventLog:Security", "channel": "EventCode=4648" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "created": "2023-03-13T20:00:08.487Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0114", "external_id": "DC0114" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T18:21:10.349Z", "name": "Application Permission", "description": "Represents the permissions, entitlements, or capability grants associated with a mobile application, including both permissions declared by the application and those granted or requested during runtime.\n\nMonitoring permission state helps defenders identify applications attempting to access protected device resources such as sensors, storage, communications interfaces, or system services.\n\nExamples include:\n\nAndroid\n\n- Permissions declared in AndroidManifest.xml\n- Runtime permission prompts\n- Special access privileges (AccessibilityService, overlay, device admin)\n\niOS\n\n- App entitlements in provisioning profiles\n- Privacy permission prompts\n- Capability grants for device services\n", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Application Vetting", "channel": "None" }, { "name": "android:logcat", "channel": "READ_EXTERNAL_STORAGE / MANAGE_EXTERNAL_STORAGE permission present or toggled at runtime" }, { "name": "android:MDMLog", "channel": "Application granted or retaining RECORD_AUDIO permission or privileged CAPTURE_AUDIO_OUTPUT capability" }, { "name": "iOS:MDMLog", "channel": "Application installed with NSMicrophoneUsageDescription entitlement indicating microphone capability" }, { "name": "android:MDMLog", "channel": "Application granted/retaining ACCESS_FINE_LOCATION and/or ACCESS_COARSE_LOCATION; background location capability present (ACCESS_BACKGROUND_LOCATION on Android 10+)" }, { "name": "iOS:MDMLog", "channel": "App installed with location usage declarations (WhenInUse/Always usage description) and granted authorization level via managed policy state" }, { "name": "android:MDMLog", "channel": "Device inventory changes involving phone number/line identifier fields (when available), eSIM profile presence, or compliance signal indicating SIM profile change" }, { "name": "iOS:MDMLog", "channel": "Managed device inventory change indicating cellular plan/eSIM profile updates (where available via supervised iOS + MDM reporting)" }, { "name": "android:MDMLog", "channel": "New permission prompt, package install attempt, accessibility/overlay special access request, or other post-browse capability escalation following browser/WebView activity" }, { "name": "iOS:MDMLog", "channel": "Post-browse configuration profile prompt, managed/unmanaged app handoff anomaly, or compliance-relevant state change shortly after browser activity" }, { "name": "android:MDMLog", "channel": "ADB_DEBUGGING_ENABLED" }, { "name": "iOS:MDMLog", "channel": "Compliance posture or restriction state relevant to accessory access, USB restricted mode, supervised trust policy, or backup/pairing restrictions" }, { "name": "android:MDMLog", "channel": "Application gains or is observed with elevated interaction capability such as accessibility, overlay, device admin, notification access, or other authentication-adjacent special access" }, { "name": "MobileEDR:telemetry", "channel": "App with network-, telephony-, Wi-Fi-, or location-adjacent capability is impacted by abrupt repeated service loss while permissions remain unchanged" }, { "name": "MobileEDR:telemetry", "channel": "Network- or location-dependent app capability state remains unchanged while the app experiences sustained communication failure" }, { "name": "MobileEDR:telemetry", "channel": "Application holds or is granted broad storage, document-provider, media, or file-management capability inconsistent with its expected role before or during bulk file transformation" }, { "name": "android:MDMLog", "channel": "Known application or newly updated version declares, gains, or activates expanded storage, sensor, communications, accessibility, or device-management capability inconsistent with prior baseline or app role" }, { "name": "iOS:MDMLog", "channel": "Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role" }, { "name": "android:MDMLog", "channel": "Known application version declares, gains, or first exercises storage, communications, accessibility, advertising, analytics, overlay, or sensor-adjacent capability inconsistent with prior version baseline or business role" }, { "name": "android:MDMLog", "channel": "Device enrollment or compliance event shows failed or degraded verified boot, hardware-backed attestation mismatch, patch/build/baseband inconsistency, or unexpected device property drift near first contact" }, { "name": "android:MDMLog ", "channel": "Application granted or retaining the READ_CALENDAR or WRITE_CALENDAR permissions. " }, { "name": "iOS:MDMLog", "channel": "Supervised enrollment, activation, or inventory event reveals unexpected device property relationships, anomalous managed posture, unexplained configuration drift near first contact, or identity/inventory characteristics inconsistent with approved procurement baseline" }, { "name": "android:MDMLog", "channel": "Managed or trusted app is newly installed or updated and presents changed package identity, signing relationship, version lineage, installer source, or permission posture inconsistent with approved baseline" }, { "name": "iOS:MDMLog", "channel": "Supervised managed app is newly installed or updated and presents unexpected version transition, inventory drift, managed-state change, or app attribute mismatch against approved procurement and release baseline" }, { "name": "android:MDMLog", "channel": "App communicating with legitimate web-service infrastructure is unmanaged, newly installed, recently updated, outside approved app list, or shows baseline drift in role, installer source, or expected capability profile" }, { "name": "iOS:MDMLog", "channel": "Managed app communicating with legitimate web-service infrastructure is newly installed, recently updated, outside expected managed-app set, or displays baseline drift in app role, release path, or business justification" }, { "name": "android:MDMLog", "channel": "App initiating resolver\u2192pivot sequence was unmanaged or not authorized to communicate with detected web-service class or external infrastructure" }, { "name": "iOS:MDMLog", "channel": "Bundle performing resolver\u2192pivot sequence not present in approved managed-app baseline or lacks expected service relationship" }, { "name": "android:MDMLog", "channel": "App identity performing bidirectional exchange was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for read/write operations" }, { "name": "iOS:MDMLog", "channel": "Bundle performing bidirectional exchange was not present in approved managed-app baseline or was not permitted to use detected public web-service class for read/write operations" }, { "name": "android:MDMLog", "channel": "App identity performing repeated one-way retrieval was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for background content retrieval" }, { "name": "iOS:MDMLog", "channel": "Bundle performing repeated one-way retrieval was not present in approved managed-app baseline or was not permitted to use detected public web-service class for background content retrieval" }, { "name": "iOS:MDMLog", "channel": "App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port" }, { "name": "android:MDMLog", "channel": "App identity performing camera session was unmanaged, recently granted camera permission, or not approved to use camera for video or interval image capture" }, { "name": "android:MDMLog", "channel": "Application granted or retaining the READ_CALL_LOG permission. " }, { "name": "android:MDMLog", "channel": "Application granted or retaining the READ_CONTACTS permission." }, { "name": "iOS:MDMLog", "channel": "Bundle performing camera session was not present in approved managed-app baseline or was not permitted to use camera for video or interval image capture" }, { "name": "android:MDMLog", "channel": "Application granted or retaining the READ_SMS or RECEIVE_SMS permission." }, { "name": "android:MDMLog", "channel": "App identity performing screen capture had unapproved accessibility posture, capture-related special access, unmanaged state, or was not approved for screen recording or assistive observation workflows" }, { "name": "android:MDMLog", "channel": "NotificationListenerService enabled OR notification access granted to app not in enterprise-approved list" }, { "name": "android:MDMLog", "channel": "App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality" }, { "name": "android:MDMLog", "channel": "App not in approved cryptographic or secure communication category performing keypair + encryption + transmission behavior" }, { "name": "android:MDMLog", "channel": "Managed app with undeclared secure transport behavior or app category mismatch initiates opaque TLS communications inconsistent with enterprise policy baseline" }, { "name": "iOS:MDMLog", "channel": "Supervised managed app with undeclared secure transport behavior or unexpected network role communicates with non-baselined destination over opaque TLS" }, { "name": "android:MDMLog", "channel": "Managed application with no declared backup, sync, export, or media-editing role performs bulk local packaging or encrypted archive generation" }, { "name": "iOS:MDMLog", "channel": "Supervised managed app without expected export, backup, or sync role performs local data staging behavior followed by opaque upload activity" }, { "name": "android:MDMLog", "channel": "Managed app granted or retaining storage-related or elevated access inconsistent with declared function prior to local data access activity" }, { "name": "iOS:MDMLog", "channel": "Supervised managed app without expected local export, sync, or forensic role accesses or stages local records inconsistent with policy baseline" }, { "name": "android:MDMLog", "channel": "Managed app without approved content-download, update, browser, or file-sync role performs remote payload retrieval and local tool staging" }, { "name": "iOS:MDMLog", "channel": "Supervised managed app without approved update, browser, sync, or enterprise-content role retrieves and stages secondary content inconsistent with policy baseline" }, { "name": "android:MDMLog", "channel": "Managed application without approved native-code role or expected high-performance/native dependency exhibits native execution behavior inconsistent with enterprise policy baseline" }, { "name": "android:MDMLog", "channel": "Managed application package version, signer lineage, installer source, or app identity changes outside approved enterprise or store-mediated update workflow" }, { "name": "android:MDMLog", "channel": "Managed app granted SEND_SMS or RECEIVE_SMS permission, or app role/policy indicates SMS-capable behavior inconsistent with approved enterprise function before SMS control activity" }, { "name": "android:MDMLog", "channel": "Default SMS handler changes to non-baselined application or managed app unexpectedly becomes or remains device default SMS app during SMS control phase" }, { "name": "android:MDMLog", "channel": "Managed app without approved VPN, enterprise tunneling, browser, or remote-access role exhibits proxy-like traffic handling inconsistent with policy baseline" }, { "name": "android:MDMLog", "channel": "Managed app granted call-control-relevant permissions or telecom role state inconsistent with approved enterprise function before call-control activity" }, { "name": "android:MDMLog", "channel": "Default phone or telecom-handling role changes to non-baselined application or managed app unexpectedly becomes dialer/call-handling app during call-control phase" }, { "name": "android:MDMLog", "channel": "device transitions to non-compliant state + root detected or integrity attestation failure (SafetyNet/Play Integrity)" }, { "name": "android:MDMLog", "channel": "application integrity mismatch or package signature inconsistency relative to expected deployment baseline" }, { "name": "android:MDMLog", "channel": "application granted high-risk permission or special access (AccessibilityService, SYSTEM_ALERT_WINDOW, DeviceAdmin) with abnormal grant pattern (e.g., no recent user interaction or rapid sequence of grants)" }, { "name": "android:MDMLog", "channel": "application granted Device Administrator privilege + abnormal activation pattern (e.g., rapid enablement after install or no recent user interaction)" }, { "name": "android:MDMLog", "channel": "application holds permissions enabling environment validation (e.g., location, phone state, nearby device/network context) and subsequently delays protected activity until qualifying values are present" }, { "name": "iOS:MDMLog", "channel": "application has approved capabilities required for conditional execution (e.g., location/background modes) but observed behavior is deferred until target-specific state is present" }, { "name": "android:MDMLog", "channel": "application granted ACCESS_FINE_LOCATION and, when required for background operation, ACCESS_BACKGROUND_LOCATION + capability state sufficient for persistent geolocation monitoring before later guarded activity" }, { "name": "iOS:MDMLog", "channel": "application authorized for when-in-use or always location access and, where relevant, background execution capability sufficient for continued geographic evaluation before later guarded behavior" }, { "name": "android:MDMLog", "channel": "managed app inventory or launcher-visible state changes show application remains installed but user-facing entry point or launcher component becomes disabled before later runtime activity" }, { "name": "android:MDMLog", "channel": "installed application remains present while launcher-visible activity or component discoverability changes to hidden, disabled, or synthesized-settings-entry state prior to later runtime activity" }, { "name": "android:MDMLog", "channel": "change to security-relevant device configuration or managed policy (e.g., accessibility enablement, app admin changes, security service state change) preceding telemetry degradation" }, { "name": "android:MDMLog", "channel": "application enabled as device administrator, device owner, profile owner, or equivalent elevated management role before uninstall attempt" }, { "name": "android:MDMLog", "channel": "application granted accessibility service privileges capable of screen observation or global action invocation before removal attempt" }, { "name": "android:MDMLog", "channel": "application enabled as device administrator, device owner, or profile owner before screen-lock or password-control activity" }, { "name": "android:MDMLog", "channel": "application granted accessibility service privileges capable of intercepting UI flow or sustaining user-interaction denial before lockout event" }, { "name": "android:MDMLog", "channel": "device posture changes to rooted, non-compliant, weakened security state, or elevated control role becomes active before security-tool degradation" }, { "name": "android:MDMLog", "channel": "security-relevant application package state, enabled status, administrator state, or managed protection setting changes immediately before monitoring degradation" }, { "name": "android:MDMLog", "channel": "device posture or compromise-state indicators change unexpectedly, including rooted or non-compliant status disappearance, after prior app or system activity suggesting persistence on device" }, { "name": "android:MDMLog", "channel": "managed application state changes unexpectedly through uninstall, disappearance from expected inventory, or install-state mismatch after prior suspicious activity" }, { "name": "android:MDMLog", "channel": "application holds device-owner, profile-owner, or delegated app-management authority capable of package removal before uninstall event" }, { "name": "android:MDMLog", "channel": "application has accessibility service privileges immediately before package-removal UI flow and subsequent application disappearance" }, { "name": "android:MDMLog", "channel": "device posture indicates rooted, compromised, or non-compliant state before package files disappear without standard managed uninstall workflow" }, { "name": "android:MDMLog", "channel": "application holds device administrator, device owner, or other managed authority capable of wipe or destructive device-level action before bulk file loss or wipe event" }, { "name": "android:MDMLog", "channel": "device posture indicates rooted, compromised, or non-compliant state before protected or atypical filesystem deletion activity" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "created": "2023-03-13T20:47:52.557Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0117", "external_id": "DC0117" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-10T15:59:54.007Z", "name": "System Notifications", "description": "System Notifications represent operating system alerts, warnings, or status messages generated in response to application actions, system state changes, or security events. These notifications may indicate potentially malicious activity or abnormal application behavior.\n\nExamples\n\n- Application requesting sensitive permissions\n- USB device connected notifications\n- Security warnings triggered by device configuration changes\n\nCollection Methods\n\n- Mobile OS notification monitoring\n- Mobile EDR sensors\n- Device management telemetry\n", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "User Interface", "channel": "None" }, { "name": "iOS:unifiedlog", "channel": "\\\"has pasted from\\\" cross-app paste notification text containing source app name" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0016", "external_id": "DC0016" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-01-29T17:21:27.873Z", "name": "Module Load", "description": "When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "enterprise-attack", "mobile-attack" ], "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Module", "channel": "None" }, { "name": "WinEventLog:Sysmon", "channel": "EventCode=7" }, { "name": "ETW:LoadImage", "channel": "provider: ETW LoadImage events for images from user-writable/UNC paths" }, { "name": "auditd:SYSCALL", "channel": "openat/read/mmap: Open/mmap .so files from non-standard paths" }, { "name": "linux:osquery", "channel": "select: Open files path LIKE '/tmp/%.so' OR '/dev/shm/%.so'" }, { "name": "macos:unifiedlog", "channel": "dyld/unified log entries indicating image load from non-system paths" }, { "name": "macos:osquery", "channel": "select: path LIKE '%/Library/%/*.dylib' OR '/tmp/*.dylib'" }, { "name": "macos:unifiedlog", "channel": "dynamic loading of sleep-related functions or sandbox detection libraries" }, { "name": "auditd:SYSCALL", "channel": "LD_PRELOAD Logging" }, { "name": "linux:osquery", "channel": "Dynamic Linking State" }, { "name": "macos:unifiedlog", "channel": "DYLD event subsystem" }, { "name": "linux:osquery", "channel": "Process linked with libcrypto.so making external connections" }, { "name": "macos:unifiedlog", "channel": "process execution events with dylib load activity" }, { "name": "linux:Sysmon", "channel": "EventCode=7" }, { "name": "WinEventLog:Application", "channel": "CLR Assembly creation, loading, or modification logs via MSSQL CLR integration" }, { "name": "macos:unifiedlog", "channel": "Process memory maps new dylib (dylib_load event)" }, { "name": "macos:unifiedlog", "channel": "Dylib loaded from abnormal location" }, { "name": "WinEventLog:Security", "channel": "EventCode=3033" }, { "name": "WinEventLog:Security", "channel": "EventCode=3063" }, { "name": "auditd:MMAP", "channel": "load: Loading of libzip.so, libz.so, or libbz2.so by processes not normally associated with archiving" }, { "name": "macos:unifiedlog", "channel": "Loading of libz.dylib, libarchive.dylib by non-standard applications" }, { "name": "macos:unifiedlog", "channel": "suspicious dlopen/dlsym usage in non-development processes" }, { "name": "m365:unified", "channel": "Non-standard Office startup component detected (e.g., unexpected DLL path)" }, { "name": "auditd:SYSCALL", "channel": "mmap" }, { "name": "esxi:vmkernel", "channel": "unexpected module load" }, { "name": "snmp:status", "channel": "Status change in cryptographic hardware modules (enabled -> disabled)" }, { "name": "esxi:vmkernel", "channel": "module load" }, { "name": "macos:unifiedlog", "channel": "delay/sleep library usage in user context" }, { "name": "linux:syslog", "channel": "kmod" }, { "name": "macos:unifiedlog", "channel": "subsystem=com.apple.kextd" }, { "name": "macos:unifiedlog", "channel": "loading of unexpected dylibs compared to historical baselines" }, { "name": "auditd:file-events", "channel": "open of suspicious .so from non-standard paths" }, { "name": "macos:syslog", "channel": "DYLD_INSERT_LIBRARIES anomalies" }, { "name": "auditd:SYSCALL", "channel": "dmesg" }, { "name": "macos:endpointsecurity", "channel": "ES_EVENT_TYPE_NOTIFY_KEXTLOAD" }, { "name": "auditd:SYSCALL", "channel": "module load or memory map path" }, { "name": "macos:unifiedlog", "channel": "launch and dylib load" }, { "name": "linux:osquery", "channel": "Processes linked with libssl/libcrypto performing network activity" }, { "name": "etw:Microsoft-Windows-Kernel-ImageLoad", "channel": "provider: Unsigned/user-writable image loads into msbuild.exe" }, { "name": "android:logcat", "channel": "DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file" }, { "name": "android:logcat", "channel": "Short burst of file I/O followed by JNI/dlopen of a newly created .so" }, { "name": "iOS:unifiedlog", "channel": "dyld: dlopen/dyld_cache load from non-standard app-writable path" }, { "name": "android:logcat", "channel": "DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload" }, { "name": "iOS:unifiedlog", "channel": "dlopen/image load from app-writable path (tmp, Caches) outside bundled resources" }, { "name": "android:logcat", "channel": "DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "created": "2023-03-13T20:47:24.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0116", "external_id": "DC0116" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Permissions Request", "description": "System prompts triggered when an application requests new or additional permissions", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "User Interface", "channel": "None" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0040", "external_id": "DC0040" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T18:19:16.114Z", "name": "File Deletion", "description": "Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "enterprise-attack", "mobile-attack" ], "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "File", "channel": "None" }, { "name": "auditd:SYSCALL", "channel": "unlink/unlinkat on service binaries or data targets" }, { "name": "auditd:SYSCALL", "channel": "file deletion" }, { "name": "macos:osquery", "channel": "file_events" }, { "name": "esxi:shell", "channel": "shell history" }, { "name": "WinEventLog:Sysmon", "channel": "EventCode=23" }, { "name": "auditd:SYSCALL", "channel": "PATH" }, { "name": "esxi:shell", "channel": "/var/log/shell.log" }, { "name": "esxi:hostd", "channel": "delete action" }, { "name": "auditd:SYSCALL", "channel": "unlink, unlinkat, openat, write" }, { "name": "macos:unifiedlog", "channel": "exec rm -rf|dd if=/dev|srm|file unlink" }, { "name": "auditd:SYSCALL", "channel": "unlink, unlinkat, rmdir" }, { "name": "auditd:SYSCALL", "channel": "unlink, rename, open" }, { "name": "linux:Sysmon", "channel": "EventCode=23" }, { "name": "fs:fsusage", "channel": "unlink, fs_delete" }, { "name": "docker:daemon", "channel": "container file operations" }, { "name": "esxi:hostd", "channel": "rm, clearlogs, logrotate" }, { "name": "esxi:hostd", "channel": "Datastore file operations" }, { "name": "macos:osquery", "channel": "CREATE, DELETE, WRITE: Stored data manipulation attempts by unauthorized processes" }, { "name": "auditd:SYSCALL", "channel": "unlink/unlinkat" }, { "name": "WinEventLog:Microsoft-Windows-Backup", "channel": "Windows Backup Catalog deletion or catalog corruption" }, { "name": "auditd:CONFIG_CHANGE", "channel": "/etc/fstab, /etc/systemd/*" }, { "name": "MobileEDR:telemetry", "channel": "application deletes, alters, renames, relocates, or suppresses local artifacts relevant to detection, including files, hidden media, compromise markers, or app-local evidence, before later continued execution or transfer" }, { "name": "MobileEDR:telemetry", "channel": "application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime" }, { "name": "MobileEDR:telemetry", "channel": "application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datacomponents/DC0034", "external_id": "DC0034" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-16T17:01:33.771Z", "name": "Process Metadata", "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "mobile-attack", "enterprise-attack" ], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Process", "channel": "None" }, { "name": "macos:unifiedlog", "channel": "subsystem=com.apple.process" }, { "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", "channel": "CodeIntegrity/WDAC events indicating unsigned/invalid DLL loads" }, { "name": "linux:syslog", "channel": "sudo or service accounts invoking loaders with suspicious env vars" }, { "name": "macos:osquery", "channel": "Process Context" }, { "name": "esxi:auth", "channel": "user session" }, { "name": "networkdevice:syslog", "channel": "Admin activity" }, { "name": "auditd:SYSCALL", "channel": "execve call for sudo where euid != uid" }, { "name": "macos:unifiedlog", "channel": "subsystem=com.apple.TCC" }, { "name": "macos:unifiedlog", "channel": "exec of binary with setuid/setgid and EUID != UID" }, { "name": "macos:unifiedlog", "channel": "process" }, { "name": "auditd:SYSCALL", "channel": "Use of fork/exec with DISPLAY unset or redirected" }, { "name": "EDR:Telemetry", "channel": "Process lineage and API usage enrichment (GetSystemTime, GetTimeZoneInformation, NtQuerySystemTime)" }, { "name": "esxi:hostd", "channel": "/var/log/hostd.log API calls reading/altering time/ntp settings" }, { "name": "auditd:SYSCALL", "channel": "execve, prctl, or ptrace activity affecting process memory or command-line arguments" }, { "name": "linux:osquery", "channel": "Cross-reference argv[0] with actual executable path and parent process metadata" }, { "name": "WinEventLog:AppLocker", "channel": "AppLocker audit/blocks showing developer utilities executing scripts/binaries outside policy" }, { "name": "EDR:hunting", "channel": "Correlation of signer info, parent-child lineage, rare invocation context (user host role), and API surfaces (CreateProcess*, LoadLibrary*)" }, { "name": "WinEventLog:Microsoft-Windows-Security-Mitigations/KernelMode", "channel": "ETW telemetry indicating ClickOnce deployment (dfsvc.exe) launching payloads" }, { "name": "etw:Microsoft-Windows-ClickOnce", "channel": "provider: Event Tracing for Windows (ETW) events associated with ClickOnce deployment (dfsvc.exe activity)" }, { "name": "WinEventLog:Microsoft-Windows-Windows Camera Frame Server/Operational", "channel": "Process session start/stop events for camera pipeline by unexpected executables" }, { "name": "linux:osquery", "channel": "select: path LIKE '/dev/video%'" }, { "name": "linux:osquery", "channel": "state=attached/debugged" }, { "name": "macos:unifiedlog", "channel": "Code Execution & Entitlement Access" }, { "name": "macos:unifiedlog", "channel": "Process opening SSH_AUTH_SOCK or /tmp/ssh-* socket not owned by same UID" }, { "name": "macos:unifiedlog", "channel": "code signature/memory protection" }, { "name": "auditd:SYSCALL", "channel": "execve with UID \u2260 EUID" }, { "name": "auditd:SYSCALL", "channel": "execve with escalated privileges" }, { "name": "AWS:CloudTrail", "channel": "cross-account or unexpected assume role" }, { "name": "macos:unifiedlog", "channel": "log collect from launchd and process start" }, { "name": "containerd:events", "channel": "Docker or containerd image pulls and process executions" }, { "name": "linux:syslog", "channel": "Kernel or daemon warnings of downgraded TLS or cryptographic settings" }, { "name": "macos:unifiedlog", "channel": "Modifications or writes to EFI system partition for downgraded bootloaders" }, { "name": "macos:unifiedlog", "channel": "non-shell process tree accessing bash history" }, { "name": "linux:osquery", "channel": "process metadata mismatch between /proc and runtime attributes" }, { "name": "linux:osquery", "channel": "process environment variables containing LD_PRELOAD" }, { "name": "WinEventLog:PowerShell", "channel": "EventCode=400, 403" }, { "name": "macos:osquery", "channel": "Process Execution + Hash" }, { "name": "etw:Microsoft-Windows-Kernel-Process", "channel": "process_start: EventHeader.ProcessId true parent vs reported PPID mismatch" }, { "name": "macos:endpointsecurity", "channel": "ES_EVENT_TYPE_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_MMAP" }, { "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", "channel": "Unsigned/invalid signature modules or images loaded by msbuild.exe or its children" }, { "name": "WinEventLog:Microsoft-Windows-DeviceGuard/Operational", "channel": "WDAC policy audit/block affecting msbuild.exe spawned payloads" }, { "name": "WinEventLog:Microsoft-Windows-SmartAppControl/Operational", "channel": "Smart App Control decisions (audit/block) for msbuild.exe-launched executables" }, { "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", "channel": "Unsigned or untrusted modules loaded during JamPlus.exe runtime" }, { "name": "macos:unifiedlog", "channel": "Crash or abnormal termination of security agent or system extension host" } ] }, { "type": "x-mitre-data-component", "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/data-components/DC0001", "external_id": "DC0001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-09T17:05:23.355Z", "name": "Scheduled Job Creation", "description": "The establishment of a task or job that will execute at a predefined time or based on specific triggers.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", "enterprise-attack", "mobile-attack" ], "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { "name": "Scheduled Job", "channel": "None" }, { "name": "WinEventLog:Security", "channel": "EventCode=4698" }, { "name": "linux:syslog", "channel": "Execution of non-standard script or binary by cron" }, { "name": "WinEventLog:TaskScheduler", "channel": "EventCode=106" }, { "name": "linux:osquery", "channel": "crontab, systemd_timers" }, { "name": "macos:osquery", "channel": "launchd_jobs" }, { "name": "esxi:vmkernel", "channel": "Startup script and task execution logs" }, { "name": "kubernetes:apiserver", "channel": "verb=create, resource=cronjobs, group=batch" }, { "name": "linux:osquery", "channel": "file_events" }, { "name": "macos:unifiedlog", "channel": "process: crontab edits, launch of cron job" }, { "name": "macos:osquery", "channel": "file_events - cron, launchd" }, { "name": "esxi:cron", "channel": "execution of scheduled job" }, { "name": "esxi:hostd", "channel": "task creation events" }, { "name": "macos:cron", "channel": "cron/launchd" }, { "name": "WinEventLog:Security", "channel": "EventCode=4699" }, { "name": "linux:cron", "channel": "Scheduled execution of unknown or unusual script/binary" }, { "name": "MobiledEDR:telemetry", "channel": "Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger" } ] }, { "type": "x-mitre-data-source", "id": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0013", "external_id": "DS0013" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Sensor Health", "description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Linux", "Windows", "macOS", "Android", "iOS" ], "x_mitre_deprecated": true, "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ] }, { "type": "x-mitre-data-source", "id": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", "created": "2023-03-13T19:36:25.108Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0042", "external_id": "DS0042" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "User Interface", "description": "Visual activity on the device that could alert the user to potentially malicious behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_collection_layers": [ "Device" ] }, { "type": "x-mitre-data-source", "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0017", "external_id": "DS0017" }, { "source_name": "Confluence Linux Command Line", "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.", "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html" }, { "source_name": "Audit OSX", "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.", "url": "https://www.scip.ch/en/?labs.20150108" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Command", "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Containers", "Linux", "Network Devices", "Windows", "macOS", "Android", "iOS", "ESXi" ], "x_mitre_deprecated": true, "x_mitre_domains": [ "ics-attack", "mobile-attack", "enterprise-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)", "Austin Clark, @c2defense" ], "x_mitre_collection_layers": [ "Container", "Host" ] }, { "type": "x-mitre-data-source", "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0029", "external_id": "DS0029" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Network Traffic", "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "IaaS", "Linux", "Windows", "macOS", "Android", "iOS", "ESXi" ], "x_mitre_deprecated": true, "x_mitre_domains": [ "ics-attack", "mobile-attack", "enterprise-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)", "ExtraHop" ], "x_mitre_collection_layers": [ "Cloud Control Plane", "Host", "Network" ] }, { "type": "x-mitre-data-source", "id": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "created": "2023-03-13T19:30:41.131Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0041", "external_id": "DS0041" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Application Vetting", "description": "Application vetting report generated by an external cloud service.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_collection_layers": [ "Report" ] }, { "type": "x-mitre-data-source", "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0009", "external_id": "DS0009" }, { "source_name": "Microsoft Processes and Threads", "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Process", "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Linux", "Windows", "macOS", "Android", "iOS", "ESXi" ], "x_mitre_deprecated": true, "x_mitre_domains": [ "ics-attack", "mobile-attack", "enterprise-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ] }, { "modified": "2025-03-28T15:23:16.915Z", "name": "Operation Triangulation", "description": "[Operation Triangulation](https://attack.mitre.org/campaigns/C0054) is a mobile campaign targeting iOS devices.(Citation: SecureList OpTriangulation 01Jun2023) The unidentified actors used zero-click exploits in iMessage attachments to gain [Initial Access](https://attack.mitre.org/tactics/TA0027), then executed exploits and validators, such as [Binary Validator](https://attack.mitre.org/software/S1215) before finally executing the [TriangleDB](https://attack.mitre.org/software/S1216) implant. ", "aliases": [ "Operation Triangulation" ], "first_seen": "2019-01-01T08:00:00.000Z", "last_seen": "2023-06-01T07:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: SecureList OpTriangulation 01Jun2023)", "x_mitre_last_seen_citation": "(Citation: SecureList OpTriangulation 01Jun2023)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", "spec_version": "2.1", "id": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "created": "2025-03-28T14:45:30.132Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0054", "external_id": "C0054" }, { "source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2024-04-11T15:10:14.209Z", "name": "C0033", "description": "[C0033](https://attack.mitre.org/campaigns/C0033) was a [PROMETHIUM](https://attack.mitre.org/groups/G0056) campaign during which they used [StrongPity](https://attack.mitre.org/software/S0491) to target Android users. [C0033](https://attack.mitre.org/campaigns/C0033) was the first publicly documented mobile campaign for [PROMETHIUM](https://attack.mitre.org/groups/G0056), who previously used Windows-based techniques.(Citation: welivesec_strongpity)", "aliases": [ "C0033" ], "first_seen": "2016-05-01T07:00:00.000Z", "last_seen": "2023-01-01T08:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: securelist_strongpity)", "x_mitre_last_seen_citation": "(Citation: welivesec_strongpity)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_contributors": [ "Hiroki Nagahama, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India" ], "type": "campaign", "spec_version": "2.1", "id": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "created": "2024-03-28T18:00:04.123Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0033", "external_id": "C0033" }, { "source_name": "securelist_strongpity", "description": "Baumgartner, K. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved March 28, 2024.", "url": "https://securelist.com/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/76147/" }, { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", "created": "2019-05-24T17:02:44.226Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0090", "external_id": "G0090" }, { "source_name": "WIRTE", "description": "(Citation: Lab52 WIRTE Apr 2019)" }, { "source_name": "Ashen Lepus", "description": "(Citation: Palo Alto Ashen Lepus DEC 2025)" }, { "source_name": "Check Point Wirte NOV 2024", "description": "Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.", "url": "https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/" }, { "source_name": "Lab52 WIRTE Apr 2019", "description": "S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.", "url": "https://lab52.io/blog/wirte-group-attacking-the-middle-east/" }, { "source_name": "Palo Alto Ashen Lepus DEC 2025", "description": "Unit 42. (2025, December 11). Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite. Retrieved April 20, 2026.", "url": "https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/" }, { "source_name": "Kaspersky WIRTE November 2021", "description": "Yamout, M. (2021, November 29). WIRTE\u2019s campaign in the Middle East \u2018living off the land\u2019 since at least 2019. Retrieved February 1, 2022.", "url": "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T02:15:29.965Z", "name": "WIRTE", "description": "[WIRTE](https://attack.mitre.org/groups/G0090) is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. [WIRTE](https://attack.mitre.org/groups/G0090) has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)(Citation: Check Point Wirte NOV 2024)(Citation: Palo Alto Ashen Lepus DEC 2025)", "aliases": [ "WIRTE", "Ashen Lepus" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Lab52 by S2 Grupo" ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", "created": "2020-01-27T16:55:39.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0097", "external_id": "G0097" }, { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:41:32.241Z", "name": "Bouncing Golf", "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)", "aliases": [ "Bouncing Golf" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": [ "mobile-attack" ] }, { "modified": "2024-11-17T14:15:51.850Z", "name": "Windshift", "description": "[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)", "aliases": [ "Windshift", "Bahamut" ], "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "created": "2020-06-25T17:16:39.168Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0112", "external_id": "G0112" }, { "source_name": "Bahamut", "description": "(Citation: SANS Windshift August 2018)" }, { "source_name": "SANS Windshift August 2018", "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024.", "url": "https://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868" }, { "source_name": "objective-see windtail1 dec 2018", "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.", "url": "https://objective-see.com/blog/blog_0x3B.html" }, { "source_name": "objective-see windtail2 jan 2019", "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.", "url": "https://objective-see.com/blog/blog_0x3D.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "created": "2019-08-26T15:03:02.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0094", "external_id": "G0094" }, { "source_name": "Cloudflare 2026 Threat Report New Threat Actors March 2026", "description": " Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.", "url": "https://blog.cloudflare.com/2026-threat-report/" }, { "source_name": "PatheticSlug", "description": "(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)" }, { "source_name": "Black Banshee", "description": "(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)" }, { "source_name": "THALLIUM", "description": "(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)" }, { "source_name": "APT43", "description": "(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)" }, { "source_name": "Emerald Sleet", "description": "(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Proofpoint TA427 April 2024)" }, { "source_name": "TA427", "description": "(Citation: Proofpoint TA427 April 2024)" }, { "source_name": "Earth Kumiho", "description": "(Citation: Rapid7 Threat Landscape Actors March 2026)" }, { "source_name": "Kimsuky", "description": "(Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021)" }, { "source_name": "Springtail", "description": "(Citation: Symantec Troll Stealer 2024)" }, { "source_name": "Velvet Chollima", "description": "(Citation: Zdnet Kimsuky Dec 2018)(Citation: ThreatConnect Kimsuky September 2020)(Citation: Malwarebytes Kimsuky June 2021)" }, { "source_name": "AhnLab Kimsuky Kabar Cobra Feb 2019", "description": "AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.", "url": "https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf" }, { "source_name": "EST Kimsuky April 2019", "description": "Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.", "url": "https://blog.alyac.co.kr/2234" }, { "source_name": "Netscout Stolen Pencil Dec 2018", "description": "ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.", "url": "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" }, { "source_name": "Zdnet Kimsuky Dec 2018", "description": "Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.", "url": "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" }, { "source_name": "CISA AA20-301A Kimsuky", "description": "CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-301a" }, { "source_name": "Cybereason Kimsuky November 2020", "description": "Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.", "url": "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" }, { "source_name": "EST Kimsuky SmokeScreen April 2019", "description": "ESTSecurity. (2019, April 17). Analysis of the APT Campaign \u2018Smoke Screen\u2019 targeting to Korea and US \ucd9c\ucc98: https://blog.alyac.co.kr/2243 [\uc774\uc2a4\ud2b8\uc2dc\ud050\ub9ac\ud2f0 \uc54c\uc57d \ube14\ub85c\uadf8]. Retrieved September 29, 2021.", "url": "https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf" }, { "source_name": "Malwarebytes Kimsuky June 2021", "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.", "url": "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" }, { "source_name": "Proofpoint TA427 April 2024", "description": "Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427\u2019s Art of Information Gathering. Retrieved May 3, 2024.", "url": "https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering" }, { "source_name": "Mandiant APT43 March 2024", "description": "Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.", "url": "https://services.google.com/fh/files/misc/apt43-report-en.pdf" }, { "source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" }, { "source_name": "MSFT-AI", "description": "Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024.", "url": "https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/" }, { "source_name": "Rapid7 Threat Landscape Actors March 2026", "description": "Rapid7. (2026, March 18). 2026 GLOBAL THREAT LANDSCAPE REPORT: Decoding the Accelerated Cyber Attack Cycle. Retrieved April 18, 2026.", "url": "https://www.rapid7.com/cdn/assets/bltc1ddd6561ab54a26/69ba67de50ca691edcd3f5b7/rapid7-threat-landscape-report-2026.pdf" }, { "source_name": "Symantec Troll Stealer 2024", "description": "Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.", "url": "https://www.security.com/threat-intelligence/springtail-kimsuky-backdoor-espionage" }, { "source_name": "Securelist Kimsuky Sept 2013", "description": "Tarakanov , D.. (2013, September 11). The \u201cKimsuky\u201d Operation: A North Korean APT?. Retrieved August 13, 2019.", "url": "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" }, { "source_name": "ThreatConnect Kimsuky September 2020", "description": "ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.", "url": "https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T18:46:50.938Z", "name": "Kimsuky", "description": "[Kimsuky](https://attack.mitre.org/groups/G0094) is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. [Kimsuky](https://attack.mitre.org/groups/G0094) operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) \n\n[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) In 2023, [Kimsuky](https://attack.mitre.org/groups/G0094) was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI)\n\nDPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under [Lazarus Group](https://attack.mitre.org/groups/G0032), rather than tracking operationally distinct subgroups.", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail", "Earth Kumiho", "PatheticSlug" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "5.2", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Dongwook Kim, KISA", "Jaesang Oh, KC7 Foundation", "Taewoo Lee, KISA", "Wai Linn Oo, Kernellix Co.,Ltd." ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b", "created": "2023-07-05T17:54:54.789Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1015", "external_id": "G1015" }, { "source_name": "Roasted 0ktapus", "description": "(Citation: CrowdStrike Scattered Spider BYOVD January 2023)" }, { "source_name": "UNC3944", "description": "(Citation: Mandiant UNC3944 May 2025)(Citation: Mandiant VMware vSphere JUL 2025)" }, { "source_name": "Octo Tempest", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, { "source_name": "Storm-0875", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, { "source_name": "CISA Scattered Spider Advisory November 2023", "description": "CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a" }, { "source_name": "CrowdStrike Scattered Spider BYOVD January 2023", "description": "CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.", "url": "https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/" }, { "source_name": "CrowdStrike Scattered Spider Profile", "description": "CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.", "url": "https://www.crowdstrike.com/adversaries/scattered-spider/" }, { "source_name": "Mandiant VMware vSphere JUL 2025", "description": "Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025.", "url": "https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944" }, { "source_name": "Mandiant UNC3944 May 2025", "description": "Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.", "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations" }, { "source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" }, { "source_name": "MSTIC Octo Tempest Operations October 2023", "description": "Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.", "url": "https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/" }, { "source_name": "Crowdstrike TELCO BPO Campaign December 2022", "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", "url": "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-24T02:30:51.936Z", "name": "Scattered Spider", "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023)\n[Scattered Spider](https://attack.mitre.org/groups/G1015) relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. (Citation: CISA Scattered Spider Advisory November 2023) (Citation: CrowdStrike Scattered Spider BYOVD January 2023) (Citation: Crowdstrike TELCO BPO Campaign December 2022)\n[Scattered Spider](https://attack.mitre.org/groups/G1015) had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. (Citation: Mandiant UNC3944 May 2025)", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "modified": "2024-11-17T20:01:55.806Z", "name": "APT-C-23", "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) is a threat group that has been active since at least 2014.(Citation: symantec_mantis) [APT-C-23](https://attack.mitre.org/groups/G1028) has primarily focused its operations on the Middle East, including Israeli military assets. [APT-C-23](https://attack.mitre.org/groups/G1028) has developed mobile spyware targeting Android and iOS devices since 2017.(Citation: welivesecurity_apt-c-23)", "aliases": [ "APT-C-23", "Mantis", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_contributors": [ "Sittikorn Sangrattanapitak" ], "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "created": "2024-03-26T18:38:00.759Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1028", "external_id": "G1028" }, { "source_name": "Big Bang APT", "description": "(Citation: checkpoint_interactive_map_apt-c-23) " }, { "source_name": "Grey Karkadann", "description": "(Citation: sentinelone_israel_hamas_war)" }, { "source_name": "Mantis", "description": "(Citation: symantec_mantis)(Citation: sentinelone_israel_hamas_war)" }, { "source_name": "Two-tailed Scorpion", "description": "(Citation: welivesecurity_apt-c-23)" }, { "source_name": "Arid Viper", "description": "(Citation: welivesecurity_apt-c-23)(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)" }, { "source_name": "Desert Falcon", "description": "(Citation: welivesecurity_apt-c-23)(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)" }, { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" }, { "source_name": "sentinelone_israel_hamas_war", "description": "Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/" }, { "source_name": "checkpoint_interactive_map_apt-c-23", "description": "Kayal, A. (2018, August 26). Interactive Mapping of APT-C-23. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20230604112435/https://research.checkpoint.com/2018/interactive-mapping-of-apt-c-23/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" }, { "source_name": "symantec_mantis", "description": "Symantec Threat Hunter Team. (2023, April 4). Mantis: New Tooling Used in Attacks Against Palestinian Targets. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20231227054130/https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack", "enterprise-attack" ] }, { "modified": "2024-04-11T02:42:07.325Z", "name": "Dark Caracal", "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)", "aliases": [ "Dark Caracal" ], "x_mitre_deprecated": false, "x_mitre_version": "1.4", "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0070", "external_id": "G0070" }, { "source_name": "Dark Caracal", "description": "(Citation: Lookout Dark Caracal Jan 2018)" }, { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "modified": "2024-12-04T21:17:08.593Z", "name": "Sandworm Team", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "x_mitre_deprecated": false, "x_mitre_version": "4.2", "x_mitre_contributors": [ "Dragos Threat Intelligence", "Hakan KARABACAK" ], "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "created": "2017-05-31T21:32:04.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0034", "external_id": "G0034" }, { "source_name": "Voodoo Bear", "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "ELECTRUM", "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "Sandworm Team", "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "Quedagh", "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "FROZENBARENTS", "description": "(Citation: Leonard TAG 2023)" }, { "source_name": "APT44", "description": "(Citation: mandiant_apt44_unearthing_sandworm)" }, { "source_name": "IRIDIUM", "description": "(Citation: Microsoft Prestige ransomware October 2022)" }, { "source_name": "Seashell Blizzard", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, { "source_name": "BlackEnergy (Group)", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "Telebots", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "IRON VIKING", "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "Leonard TAG 2023", "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.", "url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" }, { "source_name": "US District Court Indictment GRU Oct 2018", "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", "url": "https://www.justice.gov/opa/page/file/1098481/download" }, { "source_name": "Dragos ELECTRUM", "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", "url": "https://www.dragos.com/resource/electrum/" }, { "source_name": "F-Secure BlackEnergy 2014", "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" }, { "source_name": "iSIGHT Sandworm 2014", "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" }, { "source_name": "CrowdStrike VOODOO BEAR", "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" }, { "source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" }, { "source_name": "Microsoft Prestige ransomware October 2022", "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" }, { "source_name": "InfoSecurity Sandworm Oct 2014", "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.", "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" }, { "source_name": "NCSC Sandworm Feb 2020", "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" }, { "source_name": "USDOJ Sandworm Feb 2020", "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.", "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html" }, { "source_name": "mandiant_apt44_unearthing_sandworm", "description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.", "url": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" }, { "source_name": "US District Court Indictment GRU Unit 74455 October 2020", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", "url": "https://www.justice.gov/opa/press-release/file/1328521/download" }, { "source_name": "Secureworks IRON VIKING ", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" }, { "source_name": "UK NCSC Olympic Attacks October 2020", "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack", "mobile-attack" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "created": "2017-05-31T21:31:48.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0007", "external_id": "G0007" }, { "source_name": "SNAKEMACKEREL", "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)" }, { "source_name": "Fancy Bear", "description": "(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" }, { "source_name": "Tsar Team", "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "APT28", "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" }, { "source_name": "STRONTIUM", "description": "(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" }, { "source_name": "FROZENLAKE", "description": "(Citation: Leonard TAG 2023)" }, { "source_name": "Forest Blizzard", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, { "source_name": "GruesomeLarch", "description": "(Citation: Nearest Neighbor Volexity)" }, { "source_name": "IRON TWILIGHT", "description": "(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)" }, { "source_name": "Threat Group-4127", "description": "(Citation: SecureWorks TG-4127)" }, { "source_name": "TG-4127", "description": "(Citation: SecureWorks TG-4127)" }, { "source_name": "Pawn Storm", "description": "(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) " }, { "source_name": "Swallowtail", "description": "(Citation: Symantec APT28 Oct 2018)" }, { "source_name": "Group 74", "description": "(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "Accenture SNAKEMACKEREL Nov 2018", "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.", "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" }, { "source_name": "Crowdstrike DNC June 2016", "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" }, { "source_name": "Leonard TAG 2023", "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.", "url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" }, { "source_name": "US District Court Indictment GRU Oct 2018", "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", "url": "https://www.justice.gov/opa/page/file/1098481/download" }, { "source_name": "GRIZZLY STEPPE JAR", "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.", "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" }, { "source_name": "ESET Zebrocy May 2019", "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" }, { "source_name": "ESET Sednit Part 3", "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" }, { "source_name": "Sofacy DealersChoice", "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" }, { "source_name": "FireEye APT28 January 2017", "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.", "url": "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf" }, { "source_name": "FireEye APT28", "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" }, { "source_name": "Ars Technica GRU indictment Jul 2018", "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.", "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" }, { "source_name": "TrendMicro Pawn Storm Dec 2020", "description": "Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.", "url": "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" }, { "source_name": "Securelist Sofacy Feb 2018", "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.", "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" }, { "source_name": "Kaspersky Sofacy", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" }, { "source_name": "Nearest Neighbor Volexity", "description": "Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.", "url": "https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/" }, { "source_name": "Palo Alto Sofacy 06-2018", "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" }, { "source_name": "Talos Seduploader Oct 2017", "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.", "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" }, { "source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" }, { "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.", "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" }, { "source_name": "Microsoft STRONTIUM Aug 2019", "description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.", "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" }, { "source_name": "DOJ GRU Indictment Jul 2018", "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.", "url": "https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf" }, { "source_name": "Cybersecurity Advisory GRU Brute Force Campaign July 2021", "description": "NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.", "url": "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" }, { "source_name": "NSA/FBI Drovorub August 2020", "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.", "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" }, { "source_name": "SecureWorks TG-4127", "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.", "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" }, { "source_name": "Secureworks IRON TWILIGHT Active Measures March 2017", "description": "Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.", "url": "https://www.secureworks.com/research/iron-twilight-supports-active-measures" }, { "source_name": "Secureworks IRON TWILIGHT Profile", "description": "Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.", "url": "https://www.secureworks.com/research/threat-profiles/iron-twilight" }, { "source_name": "Symantec APT28 Oct 2018", "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" }, { "source_name": "Sednit", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)" }, { "source_name": "Sofacy", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-21T13:20:49.866Z", "name": "APT28", "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Swallowtail", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "5.3", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Drew Church, Splunk", "Emily Ratliff, IBM", "Richard Gold, Digital Shadows", "S\u00e9bastien Ruel, CGI" ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "modified": "2024-04-11T02:52:27.131Z", "name": "BITTER", "description": "[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)", "aliases": [ "BITTER", "T-APT-17" ], "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9", "created": "2022-06-01T20:26:53.880Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1002", "external_id": "G1002" }, { "source_name": "T-APT-17", "description": "(Citation: Cisco Talos Bitter Bangladesh May 2022)" }, { "source_name": "Forcepoint BITTER Pakistan Oct 2016", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.", "url": "https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" }, { "source_name": "Cisco Talos Bitter Bangladesh May 2022", "description": "Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.", "url": "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "modified": "2024-04-11T00:30:42.003Z", "name": "Operation Dust Storm", "description": "[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.(Citation: Cylance Dust Storm)\n\n[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.(Citation: Cylance Dust Storm)", "aliases": [ "Operation Dust Storm" ], "first_seen": "2010-01-01T07:00:00.000Z", "last_seen": "2016-02-01T06:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: Cylance Dust Storm)", "x_mitre_last_seen_citation": "(Citation: Cylance Dust Storm)", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "campaign", "spec_version": "2.1", "id": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "created": "2022-09-29T20:00:38.136Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0016", "external_id": "C0016" }, { "source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034", "created": "2022-07-01T20:12:30.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1006", "external_id": "G1006" }, { "source_name": "Charcoal Typhoon", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, { "source_name": "ControlX", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, { "source_name": "CHROMIUM", "description": "(Citation: Microsoft Threat Actor Naming July 2023) (Citation: Recorded Future RedHotel August 2023)" }, { "source_name": "TAG-22", "description": "(Citation: Recorded Future TAG-22 July 2021)" }, { "source_name": "TrendMicro EarthLusca 2022", "description": "Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca\u2019s Operations. Retrieved July 1, 2022.", "url": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" }, { "source_name": "Recorded Future TAG-22 July 2021", "description": "INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 16, 2024.", "url": "https://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan" }, { "source_name": "Recorded Future RedHotel August 2023", "description": "Insikt Group. (2023, August 8). RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale. Retrieved March 11, 2024.", "url": "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf" }, { "source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-06T14:55:18.144Z", "name": "Earth Lusca", "description": "[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\n[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "created": "2017-05-31T21:32:07.145Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0040", "external_id": "G0040" }, { "source_name": "Patchwork", "description": "(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)" }, { "source_name": "Chinastrats", "description": "(Citation: Securelist Dropping Elephant)" }, { "source_name": "Dropping Elephant", "description": "(Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)" }, { "source_name": "Hangover Group", "description": "[Patchwork](https://attack.mitre.org/groups/G0040) and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon)" }, { "source_name": "Cymmetria Patchwork", "description": "Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180825085952/https:/s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" }, { "source_name": "Operation Hangover May 2013", "description": "Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20140424084220/http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" }, { "source_name": "Symantec Patchwork", "description": "Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.", "url": "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" }, { "source_name": "Unit 42 BackConfig May 2020", "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.", "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" }, { "source_name": "Operation Hangover", "description": "It is believed that the actors behind [Patchwork](https://attack.mitre.org/groups/G0040) are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)" }, { "source_name": "Securelist Dropping Elephant", "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant \u2013 aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.", "url": "https://securelist.com/the-dropping-elephant-actor/75328/" }, { "source_name": "PaloAlto Patchwork Mar 2018", "description": "Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" }, { "source_name": "TrendMicro Patchwork Dec 2017", "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.", "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" }, { "source_name": "Volexity Patchwork June 2018", "description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.", "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" }, { "source_name": "MONSOON", "description": "MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018)" }, { "source_name": "Forcepoint Monsoon", "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.", "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T23:13:16.458Z", "name": "Patchwork", "description": "[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)", "aliases": [ "Patchwork", "Hangover Group", "Dropping Elephant", "Chinastrats", "MONSOON", "Operation Hangover" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.6", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "created": "2019-09-23T13:43:36.945Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0096", "external_id": "G0096" }, { "source_name": "Wicked Panda", "description": "(Citation: Crowdstrike GTR2020 Mar 2020)" }, { "source_name": "APT41", "description": "(Citation: FireEye APT41 2019)" }, { "source_name": "Brass Typhoon", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, { "source_name": "BARIUM", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, { "source_name": "Crowdstrike GTR2020 Mar 2020", "description": "Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.", "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" }, { "source_name": "FireEye APT41 2019", "description": "FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.", "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" }, { "source_name": "FireEye APT41 Aug 2019", "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.", "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" }, { "source_name": "apt41_mandiant", "description": "Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.", "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" }, { "source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" }, { "source_name": "Group IB APT 41 June 2021", "description": "Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.", "url": "https://www.group-ib.com/blog/colunmtk-apt41/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-11T20:13:29.024Z", "name": "APT41", "description": "[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "4.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Kyaw Pyiyt Htet, @KyawPyiytHtet", "Nikita Rostovcev, Group-IB" ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410", "created": "2024-06-14T18:17:18.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1033", "external_id": "G1033" }, { "source_name": "Callisto Group", "description": "(Citation: CISA Star Blizzard Advisory December 2023)" }, { "source_name": "TA446", "description": "(Citation: CISA Star Blizzard Advisory December 2023)" }, { "source_name": "COLDRIVER", "description": "(Citation: Google TAG COLDRIVER January 2024)" }, { "source_name": "SEABORGIUM", "description": "(Citation: Microsoft Star Blizzard August 2022)" }, { "source_name": "CISA Star Blizzard Advisory December 2023", "description": "CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a" }, { "source_name": "Microsoft Star Blizzard August 2022", "description": "Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM\u2019s ongoing phishing operations. Retrieved June 13, 2024.", "url": "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/" }, { "source_name": "StarBlizzard", "description": "Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.", "url": "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/" }, { "source_name": "Google TAG COLDRIVER January 2024", "description": "Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.", "url": "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-22T22:12:56.172Z", "name": "Star Blizzard", "description": "[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024)\n", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Aung Kyaw Min Naing, @Nolan" ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f", "created": "2021-12-26T23:11:39.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0142", "external_id": "G0142" }, { "source_name": "TrendMicro Confucius APT Feb 2018", "description": "Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.", "url": "https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html" }, { "source_name": "TrendMicro Confucius APT Aug 2021", "description": "Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.", "url": "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" }, { "source_name": "Uptycs Confucius APT Jan 2021", "description": "Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.", "url": "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T20:37:36.476Z", "name": "Confucius", "description": "[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)", "aliases": [ "Confucius", "Confucius APT" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "modified": "2024-04-02T18:58:54.885Z", "name": "UNC788", "description": "[UNC788](https://attack.mitre.org/groups/G1029) is a group of hackers from Iran that has targeted people in the Middle East.(Citation: Meta Adversarial Threat Report 2022)", "aliases": [ "UNC788" ], "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_contributors": [ "Denise Tan" ], "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258", "created": "2024-04-02T18:58:36.186Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1029", "external_id": "G1029" }, { "source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28", "created": "2023-09-25T18:11:05.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1019", "external_id": "G1019" }, { "source_name": "MoustachedBouncer ESET August 2023", "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", "url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T20:37:40.255Z", "name": "MoustachedBouncer", "description": "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)", "aliases": [ "MoustachedBouncer" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0069", "external_id": "G0069" }, { "source_name": "Cloudflare 2026 Threat Report New Threat Actors March 2026", "description": " Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.", "url": "https://blog.cloudflare.com/2026-threat-report/" }, { "source_name": "MERCURY", "description": "(Citation: Anomali Static Kitten February 2021)" }, { "source_name": "Static Kitten", "description": "(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)" }, { "source_name": "MuddyKrill", "description": "(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)" }, { "source_name": "TEMP.Zagros", "description": "(Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)" }, { "source_name": "Mango Sandstorm", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, { "source_name": "TA450", "description": "(Citation: Proofpoint TA450 Phishing March 2024)" }, { "source_name": "Seedworm", "description": "(Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)" }, { "source_name": "Earth Vetala", "description": "(Citation: Trend Micro Muddy Water March 2021)" }, { "source_name": "MuddyWater", "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)" }, { "source_name": "ClearSky MuddyWater Nov 2018", "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.", "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" }, { "source_name": "ClearSky MuddyWater June 2019", "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020.", "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" }, { "source_name": "CYBERCOM Iranian Intel Cyber January 2022", "description": "Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.", "url": "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" }, { "source_name": "ESET_MuddyWater_Dec2025", "description": "ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026.", "url": "https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/" }, { "source_name": "FalconFeeds_Iran_Mar2026", "description": "FalconFeeds.io. (2026, March 5). The Digital Redoubt: Iran\u2019s National Information Network and the Asymmetry of Modern Cyber Conflict. Retrieved March 9, 2026.", "url": "https://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict" }, { "source_name": "DHS CISA AA22-055A MuddyWater February 2022", "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" }, { "source_name": "Huntio_IranInfra_Mar2026", "description": "Hunt.io. (2026, March 4). Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation. Retrieved April 16, 2026.", "url": "https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters" }, { "source_name": "Unit 42 MuddyWater Nov 2017", "description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" }, { "source_name": "Talos MuddyWater Jan 2022", "description": "Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.", "url": "https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" }, { "source_name": "Anomali Static Kitten February 2021", "description": "Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.", "url": "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" }, { "source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" }, { "source_name": "Proofpoint TA450 Phishing March 2024", "description": "Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.", "url": "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" }, { "source_name": "NaumaanProofpoint_GlobalClickFix_April2025", "description": "Naumaan, S., et al. (2025, April 17). Around the World in 90 Days: State-Sponsored Actors Try ClickFix . Retrieved January 21, 2026.", "url": "https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix" }, { "source_name": "Trend Micro Muddy Water March 2021", "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.", "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" }, { "source_name": "Reaqta MuddyWater November 2017", "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.", "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" }, { "source_name": "FireEye MuddyWater Mar 2018", "description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" }, { "source_name": "Symantec MuddyWater Dec 2018", "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.", "url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" }, { "source_name": "SymantecCarbonBlack_Seedworm_Mar2026", "description": "Threat Hunter Team. (2026, March 5). Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company. Retrieved March 5, 2026.", "url": "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T03:26:57.416Z", "name": "MuddyWater", "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. [MuddyWater](https://attack.mitre.org/groups/G0069) has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, [MuddyWater](https://attack.mitre.org/groups/G0069) used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. (Citation: FalconFeeds_Iran_Mar2026)(Citation: Huntio_IranInfra_Mar2026)(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: NaumaanProofpoint_GlobalClickFix_April2025)(Citation: ESET_MuddyWater_Dec2025)(Citation: SymantecCarbonBlack_Seedworm_Mar2026) ", "aliases": [ "MuddyWater", "Earth Vetala", "MERCURY", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450", "MuddyKrill" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "7.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Daniyal Naeem, BT Security", "Marco Pedrinazzi, @pedrinazziM", "Ozer Sarilar, @ozersarilar, STM", "Dragos Threat Intelligence" ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7", "created": "2022-06-09T19:14:31.327Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1004", "external_id": "G1004" }, { "source_name": "Strawberry Tempest", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, { "source_name": "DEV-0537", "description": "(Citation: MSTIC DEV-0537 Mar 2022)" }, { "source_name": "BBC LAPSUS Apr 2022", "description": "BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022.", "url": "https://www.bbc.com/news/technology-60953527" }, { "source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" }, { "source_name": "MSTIC DEV-0537 Mar 2022", "description": "MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.", "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" }, { "source_name": "UNIT 42 LAPSUS Mar 2022", "description": "UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.", "url": "https://unit42.paloaltonetworks.com/lapsus-group/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-21T19:40:47.538Z", "name": "LAPSUS$", "description": "[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "David Hughes, BT Security", "Matt Brenton, Zurich Insurance Group", "Fl\u00e1vio Costa, @Seguran\u00e7a Descomplicada", "Caio Silva" ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--9935655b-cd9b-485f-84ea-1b3b4b765413", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0680", "external_id": "DET0680" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Security Software Discovery", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--87d2ccc4-f82e-493d-9c6f-03303253aec2", "x-mitre-analytic--9c721bd4-75df-4381-bd70-29679aa78a4b" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--668d7e7b-dc4e-4f51-93b4-ef87cb15d507", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0657", "external_id": "DET0657" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Subvert Trust Controls", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--b972ebf0-16d1-4bc2-980b-e8cb0947affa", "x-mitre-analytic--f3da45bb-921e-4b4c-8fc3-666c7a37dea6" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--11b4d80e-e15b-45b5-81c8-5ebbcdd814f1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0640", "external_id": "DET0640" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Hide Artifacts", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0546176b-5ea4-407d-acb7-382b55c7e883", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0684", "external_id": "DET0684" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Phishing", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--cd82f432-ee4e-4df0-8500-e381b36479ec", "x-mitre-analytic--07b782b2-7e86-424a-9395-0a862d9b25c3" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--1f04ccee-f8b2-4af3-bc34-e5b54d2c883e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0651", "external_id": "DET0651" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Indicator Removal on Host", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369", "x-mitre-analytic--4773bc29-5272-45d5-92bd-b24a34b16df6" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--5d42f7a1-78dd-4569-936e-78fe4601cb73", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0665", "external_id": "DET0665" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Exploitation for Privilege Escalation", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--f463fae8-5697-4539-b6c7-e67aadf81c73", "x-mitre-analytic--1076f33e-a959-49b8-97a3-2edf0360fae2" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--a5f6a93c-a8f9-4660-a6bc-63761a9ee94b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0616", "external_id": "DET0616" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Virtualization/Sandbox Evasion", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--5044447d-dc82-4d74-ac8c-02e5559f374c", "x-mitre-analytic--dd9778f4-5919-4796-9d4c-b3fb6ace453d" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--f181f7e1-f70c-4ab3-b8c5-5c0a08ea98d1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0671", "external_id": "DET0671" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Data Destruction", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--44d378d8-575b-41c8-b75c-375abcf3e2db" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--7ffe1aba-c979-426b-b96c-7161679eb8a8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0689", "external_id": "DET0689" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of System Runtime API Hijacking", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--90052e39-40c3-4194-a2a2-fc240639ab0f" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--5848450c-38a7-421d-910c-9a10870f4ea3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0638", "external_id": "DET0638" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of File Deletion", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--f6be418e-3fed-4026-b665-f055465c7359" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--142329a9-ff29-4bc2-af36-7294afc5fee4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0599", "external_id": "DET0599" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of SMS Control", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--a69604d3-2909-46bf-afd3-39b47ac5e5fd" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--1da26733-88c3-4cc8-8758-e2d65934f713", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0700", "external_id": "DET0700" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Bidirectional Communication", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--1f1d8e33-293a-4ceb-a91c-0cf71c6805ea", "x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--debfadd8-1df0-43b1-ae16-5f893dfc8bf3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0652", "external_id": "DET0652" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Application Versioning", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--3fe80400-0e8c-4ffa-8233-cebf7511613c", "x-mitre-analytic--095c16b2-3d9a-445a-82a4-fa7affd928f5" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--d9ca9fb7-01dd-465c-86a1-a48b6812b1c5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0688", "external_id": "DET0688" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Out of Band Data", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--f1e295df-0598-4263-b7c4-737d66660bbe", "x-mitre-analytic--3d12c26c-740d-4393-9659-52a424586b20" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--83a0e3a2-5828-4707-84f5-eec67cf6b50e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0617", "external_id": "DET0617" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Dead Drop Resolver", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30", "x-mitre-analytic--acc1bb20-bd46-4228-abba-f4befe82e926" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--ac9d1b33-cfba-415e-aef2-c4c0b359ed5f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0675", "external_id": "DET0675" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Location Tracking", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--83b759ca-097c-4d9f-926b-fb41e0740644", "x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--06aad19e-a382-4987-a73c-a8e5c340d657", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0629", "external_id": "DET0629" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Exploitation for Client Execution", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--9a574586-2729-4e60-8e60-5e07f200c3ff", "x-mitre-analytic--71fc481d-53f9-4a35-9879-e01e17f425f0" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--070d40c8-1aad-47e4-93d7-05e0362f437b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0696", "external_id": "DET0696" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Network Service Scanning", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--f420e242-1e51-4d1a-b063-b15240283e1f", "x-mitre-analytic--9eeb7425-6979-4f77-aa7c-f9b0fe6b710e" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--6c1d15de-c055-4514-ac16-9cdd8e9b2764", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0660", "external_id": "DET0660" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Data Manipulation", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--332065d4-9895-485b-8674-756f4d3fab7c" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0e600ee5-de14-46f8-ada2-c0aee4ce969e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0692", "external_id": "DET0692" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Process Discovery", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--5c5225c4-2d35-431e-830d-ea1cc649c6ba", "x-mitre-analytic--5d07c07e-4cde-41b9-a03e-94be43ca9bb8" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--411f7c72-356c-4de6-bbf0-27a7952d3be5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0656", "external_id": "DET0656" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Steal Application Access Token", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--9253e546-bc55-42c1-bf8c-b4337a1ea5b5", "x-mitre-analytic--8a463850-89e6-4de8-bd8d-20fd70dff959" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--bd3d39c3-e5d5-4ce7-9e1b-1b9598352dc5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0669", "external_id": "DET0669" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Domain Generation Algorithms", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--a088cd64-106e-4fe2-a004-5796c574cfd0", "x-mitre-analytic--4cb75669-f88d-4374-be51-e4b99e22b64e" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--3f3f3518-90bb-44fc-8ef0-dbfab75b79cc", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0630", "external_id": "DET0630" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Device Administrator Permissions", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--6852479f-7c3d-4c69-82b9-b5b9976e4101" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--1147c50d-907a-4c0d-8375-e23cadeae5f9", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0613", "external_id": "DET0613" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Dynamic Resolution", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--729a7413-3c5b-4637-a97b-9bba9f7734a7", "x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0a21ca34-ffa0-4b6f-b88c-9ffdb6a7c38f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0602", "external_id": "DET0602" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Call Log", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--9ed67778-6277-4e12-aa3e-29f39a81e67a", "x-mitre-analytic--9cd8928d-a26d-42c0-8a23-0b10816c5d21" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--afab91d6-8af3-47cd-b899-cacfbb8cad6d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0682", "external_id": "DET0682" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of File and Directory Discovery", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--36cb5f92-996c-42f4-be7e-43c5e21eee2e", "x-mitre-analytic--0048442c-54c9-4816-a2ba-5e9d376d0bf2" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--86f11b86-e189-47f1-8436-e46c7f0a4a69", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0639", "external_id": "DET0639" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Network Denial of Service", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--bfbe9c72-f373-4d03-a08a-1448f31dd92f", "x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--2627c9c4-0241-41b7-b494-657cc58d4611", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0708", "external_id": "DET0708" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Internet Connection Discovery", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--4708044d-651a-40c7-a1b2-6d7f13d17d7d", "x-mitre-analytic--0d358eda-4f7e-462e-8201-96d8a661001d" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--19bf9f62-3909-4d68-b287-bb9ccd826fe5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0648", "external_id": "DET0648" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Geofencing", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--9b4be141-9743-4113-a5f6-2d1a019b0eeb", "x-mitre-analytic--2f2ed160-9093-4b1f-b781-8660552bf1e5" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--39efdb0b-2a05-4caf-8f37-876dfad294d6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0663", "external_id": "DET0663" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Exploitation of Remote Services", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--ee4ce869-6b88-46f8-829a-9838f7607a8f", "x-mitre-analytic--6d2d8aff-7d23-40bc-bc29-54852baed5f1" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--ef792e16-8b1c-452d-a3ae-1ad4b5577a4d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0604", "external_id": "DET0604" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Compromise Hardware Supply Chain", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--9e2b0e14-eabd-4eb7-93b0-da238e3786db", "x-mitre-analytic--53491f5a-7062-41f0-a51d-07b52dc8192c" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--694c70ab-0518-432a-a149-a7b185ad814b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0655", "external_id": "DET0655" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Command and Scripting Interpreter", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--a4242809-30bc-4c00-b247-b6cc11644a07", "x-mitre-analytic--77c81bf1-beef-429a-a426-a716b489383a" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--b18a1df7-1b2b-4294-963a-e7c9b6489c34", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0633", "external_id": "DET0633" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Credentials from Password Store", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--1a27d3ed-86e8-4389-927d-1d43d94dc719" ], "x_mitre_deprecated": false }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--9559ecaf-2e75-48a7-aee8-9974020bc772", "created": "2017-05-31T21:32:07.928Z", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0042", "external_id": "G0042" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:49:59.530Z", "name": "MONSOON", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": [ "mobile-attack" ] }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--1098f1d3-7dfa-4dc0-b524-98af5588f6f7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0721", "external_id": "DET0721" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Compromise Software Supply Chain", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c", "x-mitre-analytic--c8eb9196-3134-4954-9331-838556db9aa1" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--7c7aa84d-8425-42cc-b0bc-5d384b04d99a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0712", "external_id": "DET0712" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Compromise Client Software Binary", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--fdb6acce-e069-4e35-8a4b-f4517924f092", "x-mitre-analytic--98b0a8a6-881d-4f00-84c3-3f70d368067e" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--effced27-7981-400b-9f22-e3c28144258f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0716", "external_id": "DET0716" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Linked Devices", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--42ce5243-8859-49dc-b221-2674536063ff", "x-mitre-analytic--758e4b0e-3564-4696-8d57-9e3d81198d52" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--80e1ef21-9454-4000-ae75-d7a5ae8e703b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0653", "external_id": "DET0653" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Execution Guardrails", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184", "x-mitre-analytic--28304317-cbde-45cd-bf0b-99b5cd8d1478" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0d03e753-a278-4a32-a33f-6199967220de", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0693", "external_id": "DET0693" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Disable or Modify Tools", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--75eaee42-f7b5-4792-9611-74626bd98838" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--62779c6a-e43b-4ea8-be38-f40191338089", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0702", "external_id": "DET0702" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Remote Device Management Services", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--40066e48-f70c-4fbb-a2cf-d7a385171edb", "x-mitre-analytic--6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--b44bea1e-fc01-4c6b-b7c4-dcb0135de936", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0664", "external_id": "DET0664" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Keychain", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--b2ef244c-b230-4c2b-b0a6-070e5c376f32" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--c048a994-166a-42d0-a2d3-63e3cbc09117", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0637", "external_id": "DET0637" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Foreground Persistence", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--2df1959e-8ec4-4193-9cb8-c089c78b4d1c" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--996f14f4-3419-45f6-af22-edc15f5d5d19", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0618", "external_id": "DET0618" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Download New Code at Runtime", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--7b4c77fd-f350-48ec-abce-aac3e35c939f", "x-mitre-analytic--b6d9d5a1-5966-4888-b4ce-30b125043c4d" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--3b8a3713-0f0a-433c-82bd-13b2f9224206", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0691", "external_id": "DET0691" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Replication Through Removable Media", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--a69cefd7-02e8-4840-a26e-2ea0b6a95812", "x-mitre-analytic--a8133527-5402-49e0-a9f1-14ee4fb2dd3f" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--69ceab63-17ce-4e42-b247-055a180e6c2b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0600", "external_id": "DET0600" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Software Discovery", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--992c6fa4-689c-4ce1-883f-f48a8b1c5ccc", "x-mitre-analytic--bff6f104-006e-48e5-ac3f-4633bb3abac5" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--84e15e6c-ddc1-40a0-8e46-ba5605b6345b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0611", "external_id": "DET0611" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Access Notifications", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--462f9ed4-5b6b-4426-b383-cd331f2984c0" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--12a7802a-b0c2-4823-b03d-e59b2c4bc4de", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0612", "external_id": "DET0612" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Input Injection", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--dda0e909-cceb-40eb-bff0-6bd0cd74e638" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--24ad5d49-a170-4e03-a194-3cc68ee81e1e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0606", "external_id": "DET0606" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Virtualization Solution", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--d86a141c-b4fa-48fd-a15b-2cd3254b3400" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--c1ca9729-d9a0-47fd-98bf-8355ee9fc8e2", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0701", "external_id": "DET0701" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Exfiltration Over Unencrypted Non-C2 Protocol", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--ece5746f-194b-4564-9f5f-7ebf3b23542e", "x-mitre-analytic--111bf5b3-ce1c-4f60-b1b0-deef85fc6a0a" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0abd72c9-7d7f-4e8a-99d7-5ac2f791eb9d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0703", "external_id": "DET0703" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Call Control", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0f41110f-099f-468f-af46-65d2a34f05d9", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0710", "external_id": "DET0710" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Disguise Root/Jailbreak Indicators", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--b6618b3a-370c-44af-86db-d4640799ed6e", "x-mitre-analytic--0b0e244e-9386-4520-b030-9e330c6c1930" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--ab6215b7-19e0-4644-b340-40b6dcc90a48", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0619", "external_id": "DET0619" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Code Signing Policy Modification", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--04fbc0f1-82f0-4311-9c39-6b519b48e7d8", "x-mitre-analytic--8e20de5b-1b9c-4443-a095-bcdd52ed161e" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--5560747b-ad67-478e-b3f2-14e55864e532", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0687", "external_id": "DET0687" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Impair Defenses", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--e13d662d-a496-4997-b26a-39e71eb17fc2" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--611b9135-583e-47f8-b617-e9d52ae2d2c5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0714", "external_id": "DET0714" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Suppress Application Icon", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--944c3eaa-2809-4db3-ac7c-d1868e205793" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--59e56dc2-725e-4f55-ab2c-154dbe42bc4d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0658", "external_id": "DET0658" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of SIM Card Swap", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--085c9205-d55a-4e33-a5df-241e505be32f", "x-mitre-analytic--4ce71d01-ba3b-4ed2-a615-766daa0ff144" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--7a921c8c-fdc6-4526-aba6-2632360b7f0f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0706", "external_id": "DET0706" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Non-Standard Port", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--b6ef77d6-cc8b-478c-b7f8-7767bbb58960", "x-mitre-analytic--7c96d701-391d-4904-b6ba-941344aaf059" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--cb6a0874-0cb3-4d44-a77e-e93d4a26d50b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0695", "external_id": "DET0695" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Video Capture", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--4476a312-d2c9-459e-96a3-53ac0b676c52", "x-mitre-analytic--e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--3ec475a9-b33f-42b3-a1b1-755b5fa9389b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0610", "external_id": "DET0610" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of One-Way Communication", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--ddebe043-2017-44ba-96e5-cbe87916511b", "x-mitre-analytic--dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--4809a26b-8527-49dc-81aa-ac2750fd3b75", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0676", "external_id": "DET0676" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of GUI Input Capture", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521", "x-mitre-analytic--8062d295-9d02-40c5-9ef9-135d08c07a22" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--98f14414-883e-4da3-930a-19a8faa1be41", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0635", "external_id": "DET0635" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Accounts", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--6bd50b74-5852-4800-b459-1c54d95348e3", "x-mitre-analytic--cbb3d486-b7a3-44f0-a7c7-e2fbf668f6fa" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--aeb736c8-1c17-4fac-888e-122581ad6e0c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0686", "external_id": "DET0686" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of SMS Messages", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--421fc6dc-1275-4eca-9950-150ad27d9bfd", "x-mitre-analytic--b1674dca-753f-45d9-b0de-4c68e459f046" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--8d518627-1df4-4bf8-b1fb-0828fb9f6d31", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0628", "external_id": "DET0628" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Supply Chain Compromise", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--c1cdc6fb-9b7f-4076-9634-c939ddaef2bf", "x-mitre-analytic--9aa716a2-0301-49cd-89c0-a441e5da0551" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--7a9d4531-4ff8-4228-8abd-29da8bd2942f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0598", "external_id": "DET0598" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Prevent Application Removal", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--7f914be4-061a-43a7-8d36-a758b123ca3b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0698", "external_id": "DET0698" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Exfiltration Over Alternative Protocol", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--f42dbde8-e7a0-41ed-b13c-7ade678fa782", "x-mitre-analytic--114cd15c-a02f-4bac-8ed3-3ae71c1761ec" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--7c507410-2dc7-4159-88ec-b2228547ae67", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0720", "external_id": "DET0720" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Obfuscated Files or Information", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--6fb4668b-9c70-44d2-87a3-43ff2dc699f2", "x-mitre-analytic--739bd746-e98b-45cb-8bc6-3c8876745b4a" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--5aa9f16e-253d-4ca6-b5e2-8311e5a76290", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0718", "external_id": "DET0718" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Ingress Tool Transfer", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--86aa8777-e12a-4dab-81ed-354bed18f3db", "x-mitre-analytic--d7e3296a-9f95-4061-b3f5-0f02910745ab" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0677c510-fa4d-4a39-a14b-b91f9cde1e23", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0654", "external_id": "DET0654" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Boot or Logon Initialization Scripts", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c", "x-mitre-analytic--007a370c-be77-49c9-9ca3-25d50de35864" ], "x_mitre_deprecated": false }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", "created": "2019-02-05T17:56:55.233Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0086", "external_id": "G0086" }, { "source_name": "Stolen Pencil", "description": "(Citation: Netscout Stolen Pencil Dec 2018)" }, { "source_name": "Netscout Stolen Pencil Dec 2018", "description": "ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.", "url": "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-25T14:49:37.027Z", "name": "Stolen Pencil", "description": "[Stolen Pencil](https://attack.mitre.org/groups/G0086) is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)", "aliases": [ "Stolen Pencil" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": [ "mobile-attack" ] }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--f06f44c7-97ff-4f8d-8c72-650c98e0ebdc", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0709", "external_id": "DET0709" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Wi-Fi Discovery", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--a3b1f9ea-184b-4429-94c0-d04c3b457b91", "x-mitre-analytic--ea9bb66e-1ced-4448-8d64-4184ae1c0ac9" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--a6da6dc3-19fe-4d1c-ab77-843c08377a19", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0685", "external_id": "DET0685" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Application Layer Protocol", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--d11da2b2-1552-4a54-b268-3df1cb877cf6", "x-mitre-analytic--9396ec3f-2189-44d1-9c88-53ee3603236c" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--b5259538-b169-47fd-a57c-521ad3f3a858", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0694", "external_id": "DET0694" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Hijack Execution Flow", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--09ea8707-d76c-44ae-b077-19a8949faa90" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--37c50db7-2081-4e24-91d0-787e091ea75a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0668", "external_id": "DET0668" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Screen Capture", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--427fe5c7-1b91-4d71-ae2c-6840d128f0bd" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--63b2446e-fa01-4440-bcd6-0f8505d630a6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0622", "external_id": "DET0622" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Ptrace System Calls", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--50a9f608-68aa-4bf2-b24d-2a22f2a96db4", "x-mitre-analytic--76cb5e62-9291-411d-90bf-57642b63f8b8" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--ea1efe01-98ef-4a49-a30d-72fde6750985", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0707", "external_id": "DET0707" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Scheduled Task/Job", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--07c399a0-e5ad-462d-99b9-f51ce8aa5061", "x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--48e300f8-190e-46fa-a56d-8701f7a152d3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0681", "external_id": "DET0681" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Protected User Data", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--99227275-37f5-400f-95ae-b5e17abfb0fd", "x-mitre-analytic--72604d06-ac1b-4d57-adb4-f303f2f82055" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--2d8db41e-e12e-46ff-be11-2810b0a2acb5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0719", "external_id": "DET0719" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Hooking", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--dd1b3351-f8e5-480e-9e7d-f9cfbbf01409" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--1cabf349-a457-422b-a179-475795013f8a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0666", "external_id": "DET0666" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Exploitation for Initial Access", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--3307605e-f2ac-4cfb-be12-5d880e1bfa11", "x-mitre-analytic--79897090-662d-4118-b73a-145f79e31829" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--973a4da0-af9c-4d57-ab62-21fbc308f8b3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0631", "external_id": "DET0631" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Proxy Through Victim", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--cb78ff0f-6f8a-41a8-a199-4660a0addec9" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0c01c90a-c8a9-40ee-b143-1e5b00f11e1f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0650", "external_id": "DET0650" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Symmetric Cryptography", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--d5926b94-833c-4b29-b611-059f72fcda84", "x-mitre-analytic--6c776c7a-0e2f-4963-9485-aa90149ae68e" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--ffbbeee2-1138-4743-905d-e2d605d00ecb", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0647", "external_id": "DET0647" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Event Triggered Execution", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--0d22c60c-fd0b-47f8-abe4-2d661a73c653" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--5a9d7ef3-35bf-4a89-8f61-084e2eecc070", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0690", "external_id": "DET0690" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Uninstall Malicious Application", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--176d2eda-e41b-48d0-b66a-daaccb5a77cd" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--d314d955-a323-4e87-a8e5-317b0b8ed203", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0715", "external_id": "DET0715" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Masquerading", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--b6d679b6-0777-4541-874c-d81f37d8fb07", "x-mitre-analytic--ff9c219a-b8e7-4b0a-8ea5-4f81341375d1" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--338779e6-0413-43e3-bfc8-71064a27ebeb", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0645", "external_id": "DET0645" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Lockscreen Bypass", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--52a370ec-dca2-45e0-bba7-7384816945e8", "x-mitre-analytic--81a49b9b-c8cf-438c-bea0-e09149f50b34" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--69f0f372-4bb1-4c0e-b81a-d425b2f6f31f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0672", "external_id": "DET0672" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Web Service", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--ab85ff40-2b75-477a-b5ec-f35f2fcde728", "x-mitre-analytic--a0bb0e33-c40f-46f5-b64a-07faa6946d83" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--5d826975-65f1-4515-b8c1-15cecd3339ac", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0699", "external_id": "DET0699" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of User Evasion", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--89ee35d2-02ec-4c36-b51c-50e686eb3012" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--d87dc800-38cb-4d82-b76e-3c501dbd9c0a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0621", "external_id": "DET0621" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Stored Application Data", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--7f84f2b8-6ef3-4167-b059-a455d7c40a7d", "x-mitre-analytic--b755f519-cc0c-44a4-865f-fa9ead44590f" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--b66555c6-297c-4769-affe-8f268b7c3c78", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0670", "external_id": "DET0670" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Archive Collected Data", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--bfa12b75-13ab-409f-8fe9-a93c8bcac466", "x-mitre-analytic--1e72355d-3350-4b60-8c92-2ded50a3fdd1" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--a5942766-8bd2-4747-baaf-a5850f08f550", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0713", "external_id": "DET0713" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Data from Local System", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--983ae9ea-a125-498a-862d-00d5bed2087a", "x-mitre-analytic--b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--7ea45fed-cd52-4e26-96d5-31d3fd2c7b22", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0636", "external_id": "DET0636" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of System Network Connections Discovery", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--98dfbd23-232b-410a-bb71-25ba191ff746" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--3ead6ecd-8ecb-40c9-8a73-ee3272bf0deb", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0615", "external_id": "DET0615" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Exfiltration Over C2 Channel", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--6a60d1be-ab95-46d2-91a7-01703553090e", "x-mitre-analytic--413bdb56-913d-42e0-978e-5a48c60f562e" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--91b70fb4-8e86-4dd2-a988-33d64cc46d4e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0609", "external_id": "DET0609" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Match Legitimate Name or Location", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--8f5e4bee-0677-41dd-89ad-8a467ae08eec", "x-mitre-analytic--155b0dfd-15d5-45bd-a8c4-249adc52f20d" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--3e6673dc-e2c7-440e-b632-d25e3e9f92cc", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0673", "external_id": "DET0673" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Audio Capture", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--d942e493-32eb-4302-890b-7729f63b7202", "x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--34d06ebf-867e-4cd2-8e44-c849fcaab072", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0644", "external_id": "DET0644" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Software Packing", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--75a0da5c-9f2b-4e96-bb94-10c30f16a9a2", "x-mitre-analytic--d4dc642d-922b-4476-ad3f-ba23c43702f5" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0bd280ab-7977-4ef9-b577-6c6a6014b179", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0625", "external_id": "DET0625" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of System Checks", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--66adf2b9-42aa-401f-8bc3-3830854017ee", "x-mitre-analytic--c956f269-d282-4c68-afc6-ca68d8532ab6" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--bc10fb75-db07-4ace-843c-8bcfd4044a90", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0627", "external_id": "DET0627" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Endpoint Denial of Service", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--e1db1813-109f-4f24-87e3-5d7b5e506dd3", "x-mitre-analytic--4a7169fa-79d4-4724-ad55-6e9842b7cb94" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--545bde30-2b8c-47d3-bd34-fa188348b967", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0677", "external_id": "DET0677" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Steganography", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--cda313bc-214f-4bf8-9aa2-b3fb495379c3" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--bce77859-548a-4ee7-8002-a05b182bb5ae", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0667", "external_id": "DET0667" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Asymmetric Cryptography", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c", "x-mitre-analytic--4b4a369c-35aa-4389-a218-2034fb043041" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--c6c7da3e-4366-473e-af4e-3cc67d8ea1fa", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0614", "external_id": "DET0614" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Drive-By Compromise", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--3723c7a3-2ea7-455f-aec5-29300cb7ae64", "x-mitre-analytic--de37eb78-5f35-4327-99d0-ad6546ab0fb6" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--6e373a06-358b-4078-a8ab-1f5c1730ddf4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0641", "external_id": "DET0641" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Encrypted Channel", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--f3068304-de28-4efa-96a5-a360fc7ffc97", "x-mitre-analytic--369938c8-6b9e-4eb3-8105-eb76a373dc35" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--12414f0e-85ca-4403-873a-6d415c2020f4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0608", "external_id": "DET0608" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Generate Traffic from Victim", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--5c280910-f7cf-4e7a-9b99-a592115dbc8b", "x-mitre-analytic--ccb42e9d-557f-4dc5-b313-75fb6b212821" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--9bfe6e65-c691-44fa-9d00-bf7fd5e6479f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0642", "external_id": "DET0642" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Abuse Elevation Control Mechanism", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--31542445-39c5-4ae9-806f-09649581056a" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--3115adee-e3f8-498a-9bb2-47983e404ce8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0603", "external_id": "DET0603" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Device Lockout", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--a5c4230b-7064-4863-9a60-e0565042d452" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--c2155dfa-140f-4da9-bfe8-61481a9693c0", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0624", "external_id": "DET0624" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Remote Access Software", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--4d499685-2a71-4d66-8b44-fae780c3e998", "x-mitre-analytic--a180ad2e-e3fa-4cec-a1f0-8baf754d9543" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--a7e4704b-4286-4928-88df-d0c151432495", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0662", "external_id": "DET0662" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Impersonate SS7 Nodes", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--b2120e89-a453-4575-8458-7700ea59f85a", "x-mitre-analytic--9bc8daed-e8ea-4c70-95bc-dcb2905b33d3" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--395c6e70-21f8-4613-bdec-96ecba03a5b4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0620", "external_id": "DET0620" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Web Protocols", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--f12b94b0-ec2f-4eb1-9ea4-8632e41475a1", "x-mitre-analytic--a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0c7e55b4-57b2-4a0f-ba0e-f50eab1a95f0", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0697", "external_id": "DET0697" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Abuse Accessibility Features", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--7d2231b0-d62e-4d5f-bc26-99e7f14ec741" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--b76b67bc-d38b-4b63-a0d0-ebfc7f829db6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0632", "external_id": "DET0632" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Process Injection", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--63e33566-c46c-45b8-acf1-247327b827e1", "x-mitre-analytic--166d394c-6d24-46d3-866e-4f57ca849e90" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--132ead25-5d93-4616-9847-a4c37d33d3e6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0678", "external_id": "DET0678" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Data Encrypted for Impact", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--c2133628-efa0-4bb0-9f9a-a475ec6a52e7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0704", "external_id": "DET0704" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Compromise Software Dependencies and Development Tools", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--ffcee6e2-02dd-4053-92a3-8600dd70445e", "x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--10403bf9-7ba1-427a-9320-b4069d2c2eff", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0717", "external_id": "DET0717" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Native API", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--4ec34db8-7214-4059-925e-bdcd58bca391" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--c1b65a72-9f74-4849-9797-1a9c655d9a04", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0646", "external_id": "DET0646" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of SSL Pinning", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--05191336-6d06-41f7-babb-5d079e4168ae", "x-mitre-analytic--93a35555-f71e-4230-9f2a-529a539e8612" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--113d83d6-e0a2-44af-955d-288bd4ef21c4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0649", "external_id": "DET0649" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Compromise Application Executable", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0ec6ab45-a114-4ded-ba5e-a16982ccd64b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0626", "external_id": "DET0626" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of URI Hijacking", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--5e90ac48-345b-445a-877f-596737ad7efb", "x-mitre-analytic--cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0cb492cd-7d01-46b2-b1f4-afddec10eaf2", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0674", "external_id": "DET0674" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Calendar Entries", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--38e2eb61-e650-4cdc-8f27-213b39499d34", "x-mitre-analytic--abfa1de9-fcf5-44da-a910-f83273b60813" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--f15826e8-4aa6-497e-bf9f-16c3724bfe72", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0661", "external_id": "DET0661" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Keylogging", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--8c29fa0f-6b35-40c2-9c99-081a0997db86", "x-mitre-analytic--7f8717e8-fea8-42db-b60c-c64375630685" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--19522fac-bfd0-4e94-9d75-a61eacbef7c3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0705", "external_id": "DET0705" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Input Capture", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--9b036696-9e1e-42b9-9bfd-3ae785e7e10e", "x-mitre-analytic--7179bc7d-a2be-4ded-8c4f-88ec8f73e613" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--99db5782-6282-4626-901d-b57f8bb8a1f1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0659", "external_id": "DET0659" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Conceal Multimedia Files", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--7247d454-c307-417a-90c7-a15452d0d83e" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--0a60e161-3347-49e6-9687-123e8a06c620", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0601", "external_id": "DET0601" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of System Information Discovery", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--55699534-c11f-4f9b-8908-a0c7d59160fd", "x-mitre-analytic--04e54116-5787-4bb0-9c4a-2b620a80b5dc" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--7a96a921-48bc-4fcf-b6b8-86a96315d4ee", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0623", "external_id": "DET0623" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Adversary-in-the-Middle", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--384bbe3f-bb48-4bf3-927e-3a95d13eae82", "x-mitre-analytic--36ca4ab8-1a16-4989-89e6-8d20c514c8c7" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--34fc0ca7-338c-4eb4-b4ac-618f56378dd5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0607", "external_id": "DET0607" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Unix Shell", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--f2c74903-6770-4f55-9a11-edcf6e00938e", "x-mitre-analytic--649ee05c-9f09-47fc-802a-7df2ce362563" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--9c2fc530-8c91-458d-bb4e-6ec921ee2b85", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0711", "external_id": "DET0711" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Broadcast Receivers", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--fbc0a210-8942-4fcb-81f1-a120551013d4" ], "x_mitre_deprecated": false }, { "modified": "2024-04-19T19:35:15.637Z", "name": "PROMETHIUM", "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)", "aliases": [ "PROMETHIUM", "StrongPity" ], "x_mitre_deprecated": false, "x_mitre_version": "2.1", "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0056", "external_id": "G0056" }, { "source_name": "PROMETHIUM", "description": "(Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)" }, { "source_name": "Microsoft SIR Vol 21", "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" }, { "source_name": "Talos Promethium June 2020", "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" }, { "source_name": "Microsoft NEODYMIUM Dec 2016", "description": "Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.", "url": "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" }, { "source_name": "StrongPity", "description": "The name StrongPity has also been used to describe the group and the malware used by the group.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)" }, { "source_name": "Bitdefender StrongPity June 2020", "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ] }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--03c7f8c1-0239-44a2-89e2-4cd6b47940ac", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0679", "external_id": "DET0679" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Contact List", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--e0ee0af8-96f8-4baf-b0f2-63d4b49938f2", "x-mitre-analytic--6f77061e-d663-487d-bfca-cd1e1f1d24d7" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--4041b489-71a4-4995-9419-04bd75628f89", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0683", "external_id": "DET0683" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Transmitted Data Manipulation", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--6a3e1244-3832-4523-81bc-56598a280b16" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--78eb87ae-c606-41cc-b133-b02eb35fb54d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0605", "external_id": "DET0605" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Account Access Removal", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--dd7242e8-12d5-46b4-bc2c-cff6c2dbaa27" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--7b0e17a4-df7c-4f4b-8b15-e8aac2236fc6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0643", "external_id": "DET0643" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of Clipboard Data", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--4b2e7e2d-e1be-4829-9011-53eb5eca3dc6", "x-mitre-analytic--2f0ca83e-1318-4722-88b2-1bffedb5d127" ], "x_mitre_deprecated": false }, { "type": "x-mitre-detection-strategy", "spec_version": "2.1", "id": "x-mitre-detection-strategy--538bc808-b0f5-4f86-81f2-63be2cf63e80", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0634", "external_id": "DET0634" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Detection of System Network Configuration Discovery", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_analytic_refs": [ "x-mitre-analytic--f44bab9b-554c-4dc7-b57f-4011ce609c2b", "x-mitre-analytic--cb4c4b76-3f6d-4387-ab20-74b461bbb211" ], "x_mitre_deprecated": false }, { "type": "relationship", "id": "relationship--0008005f-ca51-47c3-8369-55ee5de1c65a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:36.787Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) uses an Android broadcast receiver to automatically start when the device boots.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308", "created": "2023-02-06T19:04:33.224Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:37.022Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can monitor notifications.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--006e9850-9213-40c8-bfe0-5dac4383c9c2", "created": "2026-02-06T21:34:47.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:34:47.955Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has received instructions and applications through communications with C2 while running.(Citation: ThreatFabric_Crocodilus_March2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--00711e74-0877-4829-afc0-dfbe63901b4f", "created": "2025-08-29T22:09:45.617Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:09:45.617Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has executed when victims utilize their trusted banking apps, as the malware redirects the victim to using a malicious version of the banking app.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--00cac496-7350-4023-b29e-42c81e3c50bd", "created": "2025-09-18T14:40:18.513Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:40:18.513Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s call log.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341", "created": "2019-07-16T14:33:12.085Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:31.007Z", "description": "[Triada](https://attack.mitre.org/software/S0424) utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.(Citation: Google Triada June 2019)", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0100020b-97d4-4657-bc71-c6a1774055a6", "created": "2022-04-20T17:36:25.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:37.487Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has exfiltrated data via both SMTP and HTTP.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--01563962-2ccb-4bbc-8ef7-512a950ea47c", "created": "2025-03-28T15:09:39.238Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:37.713Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of installed applications.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--01753250-4bfa-4671-bcce-0e3cf19c0ae9", "created": "2025-10-08T20:21:12.056Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:21:12.056Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used the KeyguardManager API to evaluate the device\u2019s locking mechanism and the AlarmManager API to schedule tasks.(Citation: ThreatFabric_Chameleon_Dec2023) ", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--01965668-d033-4aca-a8e5-71a07070e266", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:31.406Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--01fd0686-d67f-4396-8812-3533063dd6b4", "created": "2023-08-16T16:38:47.766Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-07-07T21:56:32.839Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has removed artifacts of its presence and has the ability to uninstall itself.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2", "created": "2020-09-15T15:18:12.398Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:31.684Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80", "created": "2020-07-20T13:49:03.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:31.894Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device\u2019s Android ID and serial number.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3", "created": "2023-02-06T18:50:12.251Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:38.768Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can check device system properties to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--022e941f-30c3-45a9-9f6f-36e704b80060", "created": "2020-04-24T17:46:31.574Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:38.980Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--024a2ca8-c0c4-456d-a9e6-5596c5569870", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--9935655b-cd9b-485f-84ea-1b3b4b765413", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c", "created": "2017-10-25T14:48:53.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:39.209Z", "description": "Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges. ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f", "created": "2020-09-11T14:54:16.640Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:32.465Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can encrypt exfiltrated data.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:32.734Z", "description": "Some original variants of [BrainTest](https://attack.mitre.org/software/S0293) had the capability to automatically root some devices, but that behavior was not observed in later samples.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc", "created": "2021-10-01T14:42:49.174Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:40.056Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can abuse existing root access to copy components into the system partition.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--02e4aedc-0674-4598-948b-0a32758af9ca", "created": "2022-04-01T13:14:43.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:40.269Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b", "created": "2020-12-24T22:04:27.914Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:33.220Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--03172b09-4f97-4fb8-95f0-92b2d8957408", "created": "2020-06-26T14:55:13.349Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:40.752Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) has encrypted base64-encoded payload data using RC4 and Curve25519.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--03239f6a-a314-4ee0-81fa-006a39209b63", "created": "2025-09-18T14:41:15.687Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:41:15.687Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected account names and their types from the compromised device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--0330db55-06e0-45a2-85a6-17617a37fdaf", "created": "2022-04-06T13:57:49.186Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:40.949Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--033e6e76-2274-4c1f-9a88-a3206836867e", "created": "2026-02-16T15:48:24.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T15:48:24.195Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has used an obfuscated APK file and Base64-encoded URLs and files.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8", "created": "2019-11-21T16:42:48.437Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:41.155Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect SMS messages.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--035bdf9a-dc4c-403a-b5c4-9b9b42675122", "created": "2025-03-28T14:40:32.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:41.387Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has loaded additional modules stored in memory.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0384b954-06be-4b7d-924e-39416306a844", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--668d7e7b-dc4e-4f51-93b4-ef87cb15d507", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--038bbc64-2ca7-4e63-afd5-e4484170f368", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--11b4d80e-e15b-45b5-81c8-5ebbcdd814f1", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--03d0892e-94af-492f-9535-79119aa95436", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0546176b-5ea4-407d-acb7-382b55c7e883", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--03ff6271-d7bc-40f3-b83d-25c541333694", "created": "2019-11-19T17:32:20.701Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:33.874Z", "description": "If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71", "created": "2022-04-18T15:49:00.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:41.838Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can download text files with commands from an FTP server and exfiltrate data via email.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--04530307-22d8-4a06-9056-55eea225fabb", "created": "2019-07-10T15:35:43.710Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:34.216Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--046acda0-91de-4385-bcfb-157570d8e51d", "created": "2023-03-30T15:25:00.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:42.263Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can search for installed applications that match a list of targets.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--049a5149-00c9-492a-8ffb-463f3d0cd910", "created": "2022-03-30T20:13:28.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android 10 Limitations to Hiding App Icons", "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022.", "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons" }, { "source_name": "LauncherApps getActivityList", "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022.", "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:42.468Z", "description": "Android 10 introduced changes to prevent malicious applications from fully suppressing their icon in the launcher.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--049b0c71-63e3-47ce-bb0b-149df0344b15", "created": "2020-12-24T21:45:56.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:42.695Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access device contacts.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--049c39ab-c036-457a-9b8f-4318416658b8", "created": "2022-03-30T19:54:24.468Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:42.902Z", "description": "A locked bootloader could prevent unauthorized modifications of protected operating system files. ", "relationship_type": "mitigates", "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112", "created": "2022-04-05T19:59:03.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:43.107Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--04d9e597-f25b-40cf-bdb6-d552255acc78", "created": "2026-02-06T21:24:18.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_June2025", "description": "ThreatFabric. (2025, June 3). Crocodilus Mobile Malware: Evolving Fast, Going Global. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:24:18.589Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has used XOR to encode its payload.(Citation: ThreatFabric_Crocodilus_June2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe", "created": "2019-12-10T16:07:41.093Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:35.035Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) can download code and binaries from the C2 server to execute on the device as root.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab", "created": "2020-09-11T14:54:16.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:43.752Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can be controlled using SMS messages.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--052576f4-0b54-44be-840d-a9c8bb7cb980", "created": "2025-09-18T14:43:22.943Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:43:22.944Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected package names.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--05563777-5771-4bd6-a1af-3e244cf42372", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:35.336Z", "description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples search to find the Apple account's username, password and device's GUID in data being transferred.(Citation: Xiao-KeyRaider)", "relationship_type": "uses", "source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:44.154Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather SMS messages.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--05a0ac14-12c3-428c-9567-fecb3e29abe3", "created": "2025-06-25T15:36:12.680Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-25T15:36:12.680Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has utilized foreground services by showing a notification to evade detection.(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76", "created": "2020-12-17T20:15:22.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:44.598Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has collected all outgoing phone numbers that start with \u201c86\u201d.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--06348e22-9a06-4e4c-a57c-e438462e7fce", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:35.907Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can record audio via the microphone when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--066671b9-93d5-4309-8130-e01594b7c9d1", "created": "2026-02-16T16:01:08.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:01:08.396Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to start and stop audio recording.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--06869cb8-7384-4d85-aa0a-78256133c88d", "created": "2024-04-02T19:46:53.072Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:45.031Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can make phone calls.(Citation: welivesecurity_apt-c-23)(Citation: SentinelLabs AridViper 2023)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--068c3d23-8aa2-48e9-acb3-c72651c94f0b", "created": "2024-03-28T18:03:23.922Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_strongpity", "description": "Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.", "url": "https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:45.260Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) on a compromised website to distribute a malicious version of a legitimate application.(Citation: trendmicro_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--069b2328-442b-491e-962d-d3fe01f0549e", "created": "2019-09-04T14:28:15.479Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:45.481Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via email and SMS from a set of \"control phones.\"(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d", "created": "2023-08-16T16:40:14.482Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" }, { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:20:37.877Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to gather basic device information, such as version, model, root status, and country.(Citation: cyble_chameleon_0423) [Chameleon](https://attack.mitre.org/software/S1083) has also checked the restricted settings status of the device. If the Android 13 Restricted Settings status is present, an HTML page with instructions on how to enable the Accessibility Service will be shown to the user. Additionally, [Chameleon](https://attack.mitre.org/software/S1083) has checked the keyguard\u2019s status regarding how the device is locked (e.g. pattern, PIN or password).(Citation: ThreatFabric_Chameleon_Dec2023) ", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85", "created": "2020-11-20T16:37:28.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:36.501Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect various pieces of device information, such as serial number and product information.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0727ac06-5b46-4f79-abe9-63c1b923d383", "created": "2023-02-06T19:05:56.974Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:46.140Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has included encoded shell scripts to potentially aid in the rooting process.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--076d8c54-e6f6-47c4-9f61-52964d4f1c35", "created": "2024-03-28T18:32:59.357Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:46.369Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to encrypt C2 communication using AES.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--078653a6-3613-4923-ae5a-1bccb8552e67", "created": "2020-09-11T16:22:03.250Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:36.867Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) has been installed in two stages and can secretly install new applications.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-WireLurker", "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:37.121Z", "description": "[WireLurker](https://attack.mitre.org/software/S0312) monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.(Citation: PaloAlto-WireLurker)", "relationship_type": "uses", "source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc", "created": "2022-03-30T19:36:20.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:47.021Z", "description": "Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--07c727a6-6323-477a-bb55-34e130959b4e", "created": "2023-10-10T15:33:57.556Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:47.257Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can mimic an app called \u201cStorage Settings\u201d if it cannot hide its icon.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--07ccc973-19fb-4926-953a-9ec205372683", "created": "2025-07-07T21:49:15.656Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" }, { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:23:10.053Z", "description": "After accessibility permissions are granted, [Chameleon](https://attack.mitre.org/software/S1083) has used the Accessibility Service to perform a variety of actions, such as switching from biometric authentication to PIN authentication, automatically granting additional permissions, preventing uninstallation, disabling Play Protect.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023) ", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--07dd3318-2965-4085-be64-a8e956c7b8da", "created": "2020-12-18T20:14:47.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:37.556Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has stored encoded strings.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e", "created": "2022-03-30T18:15:03.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:47.696Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0803b497-5064-4b7b-9db9-4e9c37b0b8c1", "created": "2025-09-18T14:44:25.729Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:44:25.729Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has concealed itself behind variants of a phone number spoofing application, which was distributed through links on social media and communication platforms.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--082c3bd7-6088-4364-ae75-0eb45a635583", "created": "2025-03-27T22:48:11.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:48.109Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has checked if the device is jailbroken.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--084786ee-9384-4a00-9e1b-48f94ea70126", "created": "2019-09-03T19:45:48.517Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:48.317Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate calendar events.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--085f8397-0233-42d7-855e-3dbd709f2eca", "created": "2023-01-18T21:39:27.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:48.527Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use the Android \u201cDirect Reply\u201d feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8", "created": "2022-04-01T15:16:02.324Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "iOS Universal Links", "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020.", "url": "https://developer.apple.com/ios/universal-links/" }, { "source_name": "Android App Links", "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020.", "url": "https://developer.android.com/training/app-links/verify-site-associations" }, { "source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:48.952Z", "description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8", "created": "2023-07-21T19:38:06.254Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:49.166Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can retrieve account information for third party services, such as Google, Telegram, WeChat, or WhatsApp.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0891421a-8476-4d37-b274-645b90f139c7", "created": "2024-03-28T18:31:38.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_strongpity", "description": "Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.", "url": "https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:49.383Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect information regarding available Wi-Fi networks.(Citation: trendmicro_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--08a43019-d393-451f-a23c-2dfa17ec40b2", "created": "2023-01-18T19:15:24.775Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:49.584Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can steal incoming SMS messages and send SMS messages from compromised devices. (Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--08c81253-975c-4780-8e85-c72bc6a90c88", "created": "2020-10-29T19:21:23.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:49.813Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can generate revenue by automatically displaying ads.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b", "created": "2019-12-10T16:07:41.081Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:50.033Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) replaces `/system/bin/ip` with a malicious version. [Dvmap](https://attack.mitre.org/software/S0420) can inject code by patching `libdmv.so` or `libandroid_runtime.so`, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call `/system/bin/ip`, which was replaced with the malicious version.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--09059576-658b-4944-9f7b-df003319fdaa", "created": "2024-02-21T00:00:40.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:50.261Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--094f56d7-1a7d-4937-ac1a-d2337626feaa", "created": "2025-03-27T23:00:01.923Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:50.460Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has encrypted data using 3DES.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956", "created": "2020-11-24T17:55:12.873Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:50.672Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has communicated with the C2 using HTTP requests or WebSockets as a backup.(Citation: Talos GPlayed) ", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0993769f-63fb-4720-bbcf-e6f37f71515e", "created": "2020-06-02T14:32:31.875Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:39.353Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s name, serial number, iOS version, total disk space, and free disk space.(Citation: Google Project Zero Insomnia) ", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72", "created": "2023-09-21T19:37:48.020Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:51.093Z", "description": "Users can be trained to identify social engineering techniques and phishing emails.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--09b445b0-8dd0-4b97-8bd7-65e6e1f6ba49", "created": "2026-03-09T15:45:01.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:45:01.358Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has used Retrofit, an HTTP client for Android, to upload unencrypted data to the C2 server via HTTP.(Citation: ESET_VajraSpy_Feb2024) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca", "created": "2022-04-06T13:22:57.754Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:51.323Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d", "created": "2023-02-06T19:01:08.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:51.755Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has encoded files, such as exploit binaries, to potentially use during and after the rooting process.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0a1f0061-ad04-4329-bcc3-5b49d1ed281c", "created": "2026-04-20T13:02:47.419Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Check Point Wirte NOV 2024", "description": "Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.", "url": "https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-20T13:02:47.419Z", "description": "(Citation: Check Point Wirte NOV 2024)", "relationship_type": "uses", "source_ref": "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", "target_ref": "malware--4e164a21-3fbe-4aaa-be69-2513fdba90f7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:39.906Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb", "created": "2020-12-18T20:14:47.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:40.110Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has included native modules.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0a610208-06af-425f-a9af-cd0899261e33", "created": "2020-09-11T15:45:38.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:40.316Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can send SMS messages.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0a737289-c62d-4c0a-a857-6d116f774864", "created": "2020-06-26T15:12:40.077Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:40.564Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to read any text displayed on the screen.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0ac51c46-97a5-4893-a98d-2dfab8178768", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--1f04ccee-f8b2-4af3-bc34-e5b54d2c883e", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--0ae94053-1963-45ba-a3a9-62e508281c8e", "created": "2023-01-19T18:06:36.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:52.797Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can install malicious configurations on iPhones to allow malware to be installed via Ad Hoc distribution.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070", "created": "2022-04-15T17:18:44.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:52.998Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) obfuscated command information using a custom base85-based encoding.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0b1c0282-8190-465a-9944-0874e3ee65f6", "created": "2025-09-18T14:40:36.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:40:36.756Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s contact list.(Citation: ZimperiumGupta_RatMilad_Oct2022)", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d", "created": "2020-05-04T14:04:56.179Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:53.266Z", "description": "[Bread](https://attack.mitre.org/software/S0432) payloads have used several commercially available packers.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651", "created": "2023-04-11T19:54:52.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:53.464Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can programmatically tap the screen or swipe.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1", "created": "2020-09-11T14:54:16.650Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:41.420Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) has been distributed in multiple stages.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253", "created": "2020-12-31T18:25:05.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:41.634Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has fingerprinted devices to uniquely identify them.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0bb6f851-4302-4936-a98e-d23feecb234d", "created": "2020-06-02T14:32:31.777Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:41.836Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) exploits a WebKit vulnerability to achieve root access on the device.(Citation: Volexity Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349", "created": "2020-10-29T19:01:13.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:54.522Z", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has registered to receive 14 different broadcast intents for automatically triggering malware payloads. (Citation: Microsoft MalLockerB)", "relationship_type": "uses", "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e", "created": "2020-07-15T20:20:59.200Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:54.749Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access the device\u2019s contact list.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db", "created": "2019-08-09T17:59:48.988Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:42.361Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record and take pictures using the front and back cameras.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0c077d44-1c79-473c-8623-d6267ab47f34", "created": "2025-03-28T14:58:52.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:55.387Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors exploited a kernel vulnerability to obtain root privileges.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0c417238-738d-4bda-8359-d37d39414ebe", "created": "2023-08-04T18:30:41.599Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:55.603Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate phone number and IMEI.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0c49a6e0-9837-424d-877b-4e232f5fe250", "created": "2024-03-28T18:33:46.367Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:55.810Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to communicate with the C2 server using HTTPS.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0c558826-5cea-422e-8e67-83e53c04d409", "created": "2020-06-26T15:32:25.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Cerberus", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:56.020Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 using HTTP requests over port 8888.(Citation: CheckPoint Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0cabc5f9-045e-490c-a97f-efe00dbade86", "created": "2020-01-27T17:05:58.276Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:42.957Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record video.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0cae6859-d7d1-483b-b473-4f32084938a9", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:43.218Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to record device audio.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0cd58f68-2c93-4ecc-a7fb-b4aad483d14a", "created": "2025-03-27T22:53:40.058Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:56.713Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has used the Protobuf library for command and control communication.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c", "created": "2022-04-01T18:51:44.595Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:56.918Z", "description": "System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0cf39d51-2d80-4576-b088-e787b113513e", "created": "2023-09-28T17:39:48.745Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zimperium FlyTrap", "description": "A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023.", "url": "https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:57.132Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can use HTTP to communicate with the C2 server.(Citation: Zimperium FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f", "created": "2020-12-24T21:55:56.749Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:57.380Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has hidden its app icon.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a", "created": "2021-02-17T20:43:52.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:44.089Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has used an online cell tower geolocation service to track targets.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184", "created": "2022-03-30T17:53:56.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:58.016Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0d58e937-7e0f-4e1e-8c17-bab3906d7c43", "created": "2024-04-02T19:46:33.757Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:58.222Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) has used blank screen overlays to hide malicious activity from the user.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0d7b3afd-51af-410c-8859-1fbe70e2e971", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--5d42f7a1-78dd-4569-936e-78fe4601cb73", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594", "created": "2022-04-05T17:14:08.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:58.426Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0de00695-619e-401b-bcb4-0497ff107936", "created": "2026-03-09T15:34:38.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:34:38.375Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has exploited accessibility features to intercept and exfiltrate communication from WhatsApp, WhatsApp Business and Signal and to automatically enable necessary permissions on the user\u2019s behalf.(Citation: ESET_VajraSpy_Feb2024) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50", "created": "2025-03-24T20:14:19.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:58.645Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has used both HTTPS and Websockets to communicate with the C2.(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0e8607f6-daab-44df-b167-105403a4ef41", "created": "2023-01-18T19:57:33.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:58.873Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use the \u201cDirect Reply\u201d feature of Android to automatically reply to notifications with a message provided by C2.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39", "created": "2020-06-26T14:55:13.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:59.077Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) communicates with the C2 using HTTP requests.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:59.320Z", "description": "[BrainTest](https://attack.mitre.org/software/S0293) uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4", "created": "2020-06-02T14:32:31.885Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:45.017Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can track the device\u2019s location.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd", "created": "2021-01-05T20:16:20.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:59.760Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can launch a fake Facebook login page.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b", "created": "2023-02-28T20:31:03.379Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" }, { "source_name": "bitdefender_flubot_0524", "description": "Filip TRU\u021a\u0102, R\u0103zvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:46:59.983Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can send SMS phishing messages to other contacts on an infected device.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0f265012-567d-45e9-9dc2-e1fd1be5bb93", "created": "2026-02-06T21:35:25.736Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_June2025", "description": "ThreatFabric. (2025, June 3). Crocodilus Mobile Malware: Evolving Fast, Going Global. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:35:25.736Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has masqueraded as legitimate applications to include applications related to financial institutions, cryptocurrency, gambling, browser updates and occasionally geo-specific themes.(Citation: ThreatFabric_Crocodilus_June2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369", "created": "2023-02-02T17:46:27.077Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:00.216Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can exfiltrate captured user credentials and event logs back to the C2 server. (Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:45.550Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) collects the device's location.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2", "created": "2020-12-24T22:04:28.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:00.657Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has modified or configured proxy information.(Citation: Lookout Uyghur Campaign) ", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936", "created": "2019-08-29T18:57:55.926Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Samsung Keyboards", "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20201112021547/https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:00.868Z", "description": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards) An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1016d630-94c2-4826-8612-cb1beac51512", "created": "2025-09-18T14:44:08.887Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:44:08.887Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has used HTTP POST requests for communicating with its C2 server.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--10560632-6449-4579-90eb-20fc46dcca08", "created": "2020-10-29T19:21:23.200Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:01.070Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--10c07066-df05-4dff-bb95-c76be02ea4ef", "created": "2020-09-14T14:13:45.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:01.280Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) imposes geo-restrictions when delivering the second stage.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--10c912f6-6e0c-41a7-9911-f7fa5c9ba6f8", "created": "2026-02-06T21:28:02.564Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:28:02.564Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to enable call forwarding.(Citation: ThreatFabric_Crocodilus_March2025)", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451", "created": "2019-10-10T15:03:27.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:01.486Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) One encrypts data using XOR prior to exfiltration.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--11113fa5-150e-4574-89fc-5db66479e268", "created": "2023-12-18T18:13:28.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" }, { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:01.709Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has used an initial dropper to download an additional malicious application, and downloads its configuration file from the C2 server.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--112966ab-6e28-482b-8bea-ed9f4ed17064", "created": "2024-02-20T23:44:07.210Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:01.906Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device IP address and SIM information.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--114f4334-16f4-402e-981a-902b2c9be6fb", "created": "2024-04-17T16:42:31.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_strongpity", "description": "Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.", "url": "https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:02.111Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) distributed [StrongPity](https://attack.mitre.org/software/S0491) through the compromised official Syrian E-Gov website.(Citation: trendmicro_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1151b8cc-035b-46e2-ab5a-46e719ef97f8", "created": "2026-02-06T21:34:13.983Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:34:13.983Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to send stolen data to C2.(Citation: ThreatFabric_Crocodilus_March2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--117a7e1e-d5dc-451d-ab79-f29bdfec40ae", "created": "2023-10-10T15:33:59.743Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CrowdStrike-Android", "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:02.315Z", "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was placed in a repackaged version of an application used by Ukrainian artillery forces.(Citation: CrowdStrike-Android)", "relationship_type": "uses", "source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--119b848b-84b4-4f86-a265-0c9eb8680072", "created": "2021-10-01T14:42:49.171Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:02.514Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can be controlled via IRC using freenode.net servers.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--11a1da8f-f0db-4abe-88bb-1ab06f271f3f", "created": "2023-10-10T15:33:57.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:02.718Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506)\u2019s second stage has masqueraded as \u201cSystem Updates\u201d, \u201cViber Update\u201d, and \u201cWhatsApp Update\u201d.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--11a992e7-83a3-4dc3-b391-fbd79e518943", "created": "2023-07-21T19:40:08.668Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:02.923Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can encrypt its data before exfiltration.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--11b20d60-6bec-4ce4-b02f-38ec276b3c9a", "created": "2025-03-24T14:58:31.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:03.132Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has attempted to detect anti-spam call applications.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--11e30c59-c1bf-4354-9255-a6eb67d7a79e", "created": "2025-03-28T15:11:21.490Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:03.369Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors stole data from SQLite databases.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--12006533-e26f-4168-9b1f-7fb3073a9938", "created": "2025-09-18T14:41:37.428Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:41:37.428Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected clipboard content.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1208139a-5df5-40e9-ab7b-390f38530757", "created": "2026-02-06T21:32:31.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:32:31.195Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to start and stop image streaming from the device\u2019s front camera.(Citation: ThreatFabric_Crocodilus_March2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879", "created": "2019-09-04T14:28:16.426Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:47.185Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) uses XOR to obfuscate its second stage binary.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:03.804Z", "description": "[Xbot](https://attack.mitre.org/software/S0298) can remotely lock infected Android devices and ask for a ransom.(Citation: PaloAlto-Xbot)", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--122ffed0-5f5a-4588-88a4-16924db24e9e", "created": "2024-03-26T19:35:11.640Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:04.014Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can collect and exfiltrate files with specific extensions, such as .pdf, doc.(Citation: welivesecurity_apt-c-23) ", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1245bef0-5468-4e1e-9a7e-61d4019c9137", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--a5f6a93c-a8f9-4660-a6bc-63761a9ee94b", "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1250f91c-723d-4b4c-afea-b3a71101951f", "created": "2019-08-07T15:57:13.415Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:47.597Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can query the device's IMEI.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--127e6672-d16a-4370-b277-4d04874a4cfe", "created": "2023-02-06T19:37:24.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:04.426Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1284ba4a-c48c-4533-ac35-664828616ee3", "created": "2023-07-21T19:52:46.863Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:04.650Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access and exfiltrate files, such as photos or video.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1284f6fe-d352-415c-9479-82141524380a", "created": "2022-03-30T18:06:48.250Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:04.846Z", "description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--12d14048-793c-456c-a2b8-d812de547ca7", "created": "2023-09-28T17:19:38.041Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:05.263Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can read SMS messages on the device.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--12d61e7d-7fa6-422d-9817-901decf6b650", "created": "2019-07-10T15:35:43.663Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:05.466Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) uses phishing popups to harvest user credentials.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--12de5aeb-9427-4665-81a0-257c76d6f188", "created": "2023-03-03T16:20:48.781Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:05.676Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has replaced device apps with ones it has downloaded.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--12df8ac7-06a4-4389-8d86-d354c4536e28", "created": "2024-03-26T19:32:36.539Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cyware APT-C-23 2020", "description": "Cyware. (2020, October 2). APT\u2011C\u201123 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024.", "url": "https://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4" }, { "source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/" }, { "source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:05.881Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) reads notifications from applications and connected wearables.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--12e68fcd-83d4-43a7-bf89-a2550ecfbed1", "created": "2025-08-29T21:57:41.933Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T21:57:41.933Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has used virtualization to create a separate virtual environment that mimicked legitimate banking and cryptocurrency applications.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d", "created": "2020-12-18T20:14:47.297Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:06.103Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has generated non-human advertising impressions.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1317fb3d-ded3-4b84-8007-147f3b02948a", "created": "2022-04-05T19:52:38.539Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CSRIC-WG1-FinalReport", "description": "CSRIC-WG1-FinalReport" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:06.312Z", "description": "Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC-WG1-FinalReport) ", "relationship_type": "mitigates", "source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1329a866-0f6b-4660-b537-a6d208352502", "created": "2023-06-09T19:11:12.827Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:06.509Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd", "created": "2023-08-04T18:35:25.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:06.749Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can try to run arbitrary commands as root.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1348c744-3127-4a55-a5b4-2f439f41e941", "created": "2020-07-27T14:14:56.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:06.950Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can install itself on the system partition to achieve persistence. [Zen](https://attack.mitre.org/software/S0494) can also replace `framework.jar`, which allows it to intercept and modify the behavior of the standard Android API.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--13495d9c-6877-4bc9-888a-7d92362bcb40", "created": "2023-06-09T19:10:19.108Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:07.165Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect device contacts.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d", "created": "2019-10-18T14:50:57.491Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:07.379Z", "description": "Security updates often contain patches for vulnerabilities.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--136edce9-2bf4-4255-8f84-b10cd9aef143", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--f181f7e1-f70c-4ab3-b8c5-5c0a08ea98d1", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--137ec7b1-8f78-4b03-8dec-f445800d36c1", "created": "2025-06-25T15:37:16.563Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-25T15:37:16.564Z", "description": "After accessibility permissions are granted, [CherryBlos](https://attack.mitre.org/software/S1225) has used the Accessibility Service to monitor when a wallet application launches and to steal credentials.(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579", "created": "2023-07-21T19:40:25.197Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:07.824Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can download and run code obtained from the C2.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--13efc415-5e17-4a16-81c2-64e74815907f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-XcodeGhost", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:08.050Z", "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can prompt a fake alert dialog to phish user credentials.(Citation: PaloAlto-XcodeGhost)", "relationship_type": "uses", "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--140bf67b-4650-44ab-a182-3abf6de1245d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7ffe1aba-c979-426b-b96c-7161679eb8a8", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:49.594Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record audio using the device microphone.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c", "created": "2022-04-01T14:59:39.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:08.471Z", "description": "Apple regularly provides security updates for known OS vulnerabilities.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--142532a6-bf7c-4b25-be23-16f01160f3c5", "created": "2020-09-15T15:18:12.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:50.254Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect account information stored on the device, as well as data in external storage.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--143833fb-8034-4e75-a030-d8e47f9bebef", "created": "2023-12-18T18:10:56.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:08.907Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can track the device's location.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--14474366-938a-4359-bf24-e2c718adfaf5", "created": "2020-06-26T14:55:13.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:50.636Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can download new libraries when instructed to.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--146159d0-e1cb-4260-995b-d5daad26455a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--5848450c-38a7-421d-910c-9a10870f4ea3", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--146275c0-b6dd-4700-bded-bc361a67d023", "created": "2020-09-14T14:13:45.253Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:50.812Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can record audio.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6", "created": "2022-03-30T15:18:21.256Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:09.574Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--15059ed8-f2d1-4e51-8b65-048fd53edf44", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--142329a9-ff29-4bc2-af36-7294afc5fee4", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--15065492-1aef-4cf8-af3c-cc763eee5daf", "created": "2020-09-24T15:34:51.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:09.993Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can detect if it is being ran on an emulator.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1508c120-06fa-4da2-8fcd-7fdc133228fa", "created": "2025-03-28T15:05:17.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:10.223Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors removed files from the device.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--15706c6d-803b-4857-9fcb-ce9af2c9d73b", "created": "2025-03-24T20:13:23.329Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:10.469Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has retrieved files from the C2 server.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024) Examples of files from the C2 are ` amfidebilitate` (jailbreak component), ` jbexec ` (executable to verify jailbreak), `bb` (FrameworkLoader), `cc` (launchctl binary for persistence), `b.plist` (configuration for auto-start), and `resources.zip`, which contains additional jailbreak-related components.(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--15772932-8a5c-4616-9fea-b2bd1ecace4b", "created": "2025-04-14T17:40:59.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:10.710Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) uses the WifiList (or `libWifiList`) plugin to gather Wi-Fi network information, such as the SSID, BSSID, signal strength (RSSI), channel, security type, and previously saved networks.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)(Citation: Threatfabric LightSpy 2023)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd", "created": "2020-06-26T15:12:40.094Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:51.681Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--157d2522-4fb0-4ea7-bed9-f64b3b2809b1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--1da26733-88c3-4cc8-8758-e2d65934f713", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052", "created": "2024-03-28T18:29:23.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:11.105Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect SMS messages.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80", "created": "2022-03-30T19:33:05.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:11.327Z", "description": "Security updates typically provide patches for vulnerabilities that enable device rooting.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9", "created": "2020-04-24T17:46:31.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:52.037Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--161dc9cf-e49a-426a-a68c-4d3fa0bf9f25", "created": "2026-03-09T15:24:20.687Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:24:20.687Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has collected and exfiltrated the call log.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1659ff92-3a84-4cc3-84dc-42dcc8a91dc4", "created": "2025-10-22T21:31:22.546Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-22T21:31:22.546Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has captured victims' credentials through predefined fake activities.(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1687c7a0-a453-4737-a10d-c57b94d5a458", "created": "2025-03-28T14:56:15.832Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" }, { "source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:11.764Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors downloaded subsequent stages from the C2.(Citation: SecureList OpTriangulation 01Jun2023)(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d", "created": "2021-10-01T14:42:48.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:52.408Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect images stored on the device and browser history.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--16d969ca-59ae-4c87-888f-fa231ad863d1", "created": "2024-03-28T18:27:18.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:12.208Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect message notifications from 17 applications.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--17141729-226d-40d4-928d-ffbd2eed7d11", "created": "2022-04-05T19:37:16.086Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:12.412Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca", "created": "2020-09-11T16:22:03.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:12.613Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s contact list.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--174b139b-83ff-4cdc-889f-6e5936731741", "created": "2026-02-06T21:28:57.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:28:57.205Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to send SMS messages to a specified number, to a list of numbers, or to all contacts. Additionally, [Crocodilus](https://attack.mitre.org/software/S9004) has the ability to perform Unstructured Supplementary Service Data (USSD) requests.(Citation: ThreatFabric_Crocodilus_March2025)", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--17558571-7352-470b-b728-0511fb3f699d", "created": "2019-10-18T15:51:48.484Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:52.921Z", "description": "Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--17697784-f6e0-4062-adaa-7779e44e2d62", "created": "2024-02-20T23:57:03.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:13.024Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7", "created": "2022-03-31T19:53:01.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:13.275Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--17e94f34-e367-491c-9f9f-79294e124b4f", "created": "2020-12-17T20:15:22.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:13.482Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can intercept SMS messages.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--18186ee9-0ae4-405c-bf73-4d9ca1689744", "created": "2025-03-24T20:07:56.454Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:13.721Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s contact list.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1822e616-ae33-487c-8aa6-4fa81e724184", "created": "2021-02-08T16:36:20.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:13.928Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--183edec4-71b8-4122-a81b-102256e5db13", "created": "2025-06-16T17:28:01.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cyble_Anubis_May2021", "description": "Cyble. (2021, May 2). Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus. Retrieved April 24, 2025.", "url": "https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-16T17:28:01.768Z", "description": "After accessibility service is granted, [Anubis](https://attack.mitre.org/software/S0422) lures the victim into changing the Accessibility settings on the device, disabling application removal, and executes screen taps and other commands without the victim\u2019s knowledge.(Citation: Cyble_Anubis_May2021) ", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--185764e3-b559-4a65-818e-1cad4db6d105", "created": "2024-04-04T17:42:29.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:14.147Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) can send SMS messages.(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd", "created": "2022-04-01T18:50:00.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:14.378Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495", "created": "2024-02-20T23:52:29.033Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:14.583Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea", "created": "2022-04-06T13:40:14.515Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android 10 Privacy Changes", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:14.795Z", "description": "Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device\u2019s default input method editor (IME).(Citation: Android 10 Privacy Changes)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--18aae8e4-4bdd-42c2-bde6-88d678d080c5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--debfadd8-1df0-43b1-ae16-5f893dfc8bf3", "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Adware", "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:15.006Z", "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.(Citation: Lookout-Adware)", "relationship_type": "uses", "source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--18c212f3-8c21-427c-9654-ebffbf33fac7", "created": "2025-06-25T15:37:37.043Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-25T15:37:37.043Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has used the Accessibility Service to monitor when a wallet application has launched.(Citation: TrendMicro_CherryBlos_July2023)", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:15.233Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted the full contents of text messages.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1987b242-c868-40b2-993d-9dbeea311d4b", "created": "2022-03-30T14:08:09.882Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:15.453Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--198b99e6-3954-4c93-90bc-4227b45270a4", "created": "2023-08-04T19:03:55.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:15.672Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can delete locally gathered files after uploading them to the C2 to avoid suspicion.(Citation: lookout_hornbill_sunbird_0221) ", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--19b95b83-bac0-455f-882f-0209abddb76f", "created": "2022-04-05T20:11:35.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:15.882Z", "description": "Applications that properly encrypt network traffic may evade some forms of AiTM behavior. ", "relationship_type": "mitigates", "source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--19df76ee-fa85-43cf-96ce-422d46f29a13", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:16.079Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) listens for the `BOOT_COMPLETED` broadcast intent in order to maintain persistence and activate its functionality at device boot time.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80", "created": "2022-03-31T19:51:41.431Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:16.319Z", "description": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd", "created": "2020-07-15T20:20:59.289Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:16.539Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e", "created": "2020-09-14T14:13:45.299Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:16.762Z", "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version has used public key encryption for C2 communication.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1a5d49ae-de04-4b05-98d2-73f6afdda0ae", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--d9ca9fb7-01dd-465c-86a1-a48b6812b1c5", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1a71edbf-2fee-41e7-ade1-74abf165e5e2", "created": "2026-04-19T00:45:10.088Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "FBI_KimsukyQR_Jan2026", "description": "FBI. (2026, January 8). FBI Flash AC-000001-MW North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities. Retrieved April 18, 2026.", "url": "https://www.ic3.gov/CSA/2026/260108.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-19T00:50:11.214Z", "description": "[Kimsuky](https://attack.mitre.org/groups/G0094) has sent phishing emails that impersonate legitimate people to various targets containing malicious QR codes to harvest credentials and conduct other malicious activities.(Citation: FBI_KimsukyQR_Jan2026) [Kimsuky](https://attack.mitre.org/groups/G0094) has also leveraged QR codes (also known as Quishing) to evade URL inspection and to direct victims from their corporate host devices to mobile devices.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: FBI_KimsukyQR_Jan2026) ", "relationship_type": "uses", "source_ref": "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1aa13495-1455-484a-9e9b-92b5d96be32c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--83a0e3a2-5828-4707-84f5-eec67cf6b50e", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1aa58b60-1a3d-4e97-918a-4553985488e8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ac9d1b33-cfba-415e-aef2-c4c0b359ed5f", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1afaf0fe-810e-49c7-8141-de4d56997aad", "created": "2026-02-16T16:00:45.584Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T02:02:47.119Z", "description": "When an accessibility event occurs, [DocSwap](https://attack.mitre.org/software/S9005) has used a keylogger to record the target application\u2019s icon, package name, event text, and timestamp.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1b53d214-9667-4dbc-8c82-1bc8d9cf4876", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--06aad19e-a382-4987-a73c-a8e5c340d657", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e", "created": "2022-04-01T17:05:56.046Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:16.966Z", "description": "On Android 11 and up, users are not prompted with the option to select \u201cAllow all the time\u201d and must navigate to the settings page to manually select this option. On iOS 14 and up, users can select whether to provide Precise Location for each installed application. ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9", "created": "2020-09-11T14:54:16.548Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:55.229Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can obtain a list of installed applications.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b", "created": "2023-07-21T19:35:17.565Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:17.613Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can access a device\u2019s microphone to record audio, as well as cell and VoIP application calls.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e", "created": "2020-12-31T18:25:05.165Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:17.824Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES) ", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a", "created": "2023-08-16T16:36:59.360Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" }, { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:13:22.345Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered cookies and device logs.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1c180c0e-c789-4176-b568-789ada9487bb", "created": "2020-10-29T19:21:23.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:55.760Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if *developer mode* is enabled.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1c307192-0358-4c0c-920e-0fc2d3e86889", "created": "2025-10-08T20:21:32.754Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:21:32.754Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used the AlarmManager API to schedule tasks.(Citation: ThreatFabric_Chameleon_Dec2023) ", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint-Judy", "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:18.489Z", "description": "[Judy](https://attack.mitre.org/software/S0325) uses infected devices to generate fraudulent clicks on advertisements to generate revenue.(Citation: CheckPoint-Judy)", "relationship_type": "uses", "source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf", "created": "2023-02-06T18:59:46.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:18.704Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device IP address and SIM information.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1c7d2614-c1a6-4193-8053-e5ca8a15437f", "created": "2026-02-16T15:49:32.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:06:47.496Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `LOCAL_MAC_ADDRESS` permission and has the ability to send system information.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73", "created": "2020-07-20T14:12:15.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Check Point-Joker", "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020.", "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:56.178Z", "description": "[Bread](https://attack.mitre.org/software/S0432) can collect device notifications.(Citation: Check Point-Joker)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1cc71849-142f-4097-9546-7946b0b546a6", "created": "2020-04-08T15:51:25.125Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:19.123Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can determine if it is running in an emulator.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1cca5e17-80ae-4b6e-8919-2768153aa966", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:19.378Z", "description": "[Xbot](https://attack.mitre.org/software/S0298) uses phishing pages mimicking Google Play's payment interface as well as bank login pages.(Citation: PaloAlto-Xbot)", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1cf04fb7-17a6-4424-a3f2-93f1b33d19cd", "created": "2025-10-08T20:14:00.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:14:00.607Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to control calls.(Citation: ThreatFabric_Chameleon_Dec2023)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1d828f51-1c04-466c-beaf-2d4de741a544", "created": "2020-05-04T14:04:56.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:20.018Z", "description": "[Bread](https://attack.mitre.org/software/S0432) can access SMS messages in order to complete carrier billing fraud.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1db350b2-1e8b-4d58-9086-eac41de1b110", "created": "2022-04-05T17:13:56.584Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:20.286Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1e286a4a-63cd-47df-a034-11a5d92daceb", "created": "2022-04-06T15:41:03.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:20.492Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a", "created": "2020-06-26T15:32:24.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:20.706Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) hides its icon from the application drawer after being launched for the first time.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1e822ff0-b1e1-4d80-b1a2-956919511809", "created": "2023-12-18T19:06:20.411Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:20.917Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can communicate with the C2 using HTTPS requests.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1e9f9600-7ba3-44ae-b704-0fc0bd6e243b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--070d40c8-1aad-47e4-93d7-05e0362f437b", "target_ref": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e", "created": "2019-09-03T19:45:48.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:21.132Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223", "created": "2020-11-20T16:37:28.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:57.482Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has been distributed in two stages.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1f31e348-a4ee-4874-891f-393c65a7640a", "created": "2023-07-21T19:34:13.200Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:21.586Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate a device\u2019s contacts.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f", "created": "2023-02-28T20:39:57.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:21.822Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use Domain Generation Algorithms to connect to the C2 server.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1f35d6bf-c5e1-42bc-ba47-e06ee1a2e305", "created": "2025-10-08T20:12:37.612Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:12:37.612Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has been distributed using phishing links and a Content Distribution Network (CDN) for file distribution.(Citation: ThreatFabric_Chameleon_Dec2023) ", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435", "created": "2022-04-05T19:51:08.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android 12 Features", "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022.", "url": "https://developer.android.com/about/versions/12/features" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:22.046Z", "description": "The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9", "created": "2021-10-01T14:42:49.170Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:22.266Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can hide its icon.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b", "created": "2020-04-08T15:51:25.128Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:22.473Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can collect SMS messages.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87", "created": "2020-05-04T14:04:56.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:58.330Z", "description": "[Bread](https://attack.mitre.org/software/S0432) has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. [Bread](https://attack.mitre.org/software/S0432) downloads billing fraud execution steps at runtime.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd", "created": "2020-04-08T18:55:29.205Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Anubis", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html" }, { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:23.138Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis) ", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2019d384-2aef-4c50-a1a6-0db411f68ba2", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--6c1d15de-c055-4514-ac16-9cdd8e9b2764", "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--20310407-9b05-4d7b-9548-961f545e14e1", "created": "2023-06-09T19:18:41.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:23.574Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) uses an infrequent data upload schedule to avoid user detection and battery drain. It also can delete on-device data after being sent to the C2, and stores collected data in hidden folders on external storage.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6", "created": "2020-07-20T13:27:33.553Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:27:59.100Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) sends the device\u2019s IMEI with each exfiltration request.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--204e30ed-5e69-400b-a814-b77e10596865", "created": "2022-04-06T15:50:42.481Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:24.029Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:24.296Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect SMS, MMS, and Gmail messages.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--209aa948-393c-46b0-9488-ef93a6252438", "created": "2022-03-30T20:07:19.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:24.513Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0", "created": "2020-12-24T21:55:56.741Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:24.722Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the contact list.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86", "created": "2022-04-06T13:55:37.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:24.920Z", "description": "Users should be advised that applications generally do not require permission to send SMS messages.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--20e8cf98-b5c1-4ad8-bdba-a9bad0344bef", "created": "2024-03-26T19:30:26.368Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:25.131Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) listens for the `BOOT_COMPLETED` broadcast to activate malware.(Citation: welivesecurity_apt-c-23) ", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2115228b-c61a-4ebb-829a-df7355635fbf", "created": "2020-12-17T20:15:22.491Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:25.365Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can detect if the app is running on an emulator.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--212801c2-5d14-4381-b25a-340cda11a5ac", "created": "2020-12-18T20:14:47.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:25.579Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has displayed a form to collect user data after installation.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2167de58-8453-4ac3-977d-30a2b3526818", "created": "2025-02-12T15:22:13.938Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CrowdStrike Scattered Spider JUL 2025", "description": " Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025.", "url": "https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/" }, { "source_name": "Check Point Scattered Spider JUL 2025", "description": "Check Point Team. (2025, July 7). Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation. Retrieved October 13, 2025.", "url": "https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/" }, { "source_name": "Mandiant UNC3944 May 2025", "description": "Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.", "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations" }, { "source_name": "Mphasis SS_SIM_Swap Apr2024", "description": "Mphasis. (2024, April 17). Scattered Spider conducts SIM swapping attacks. Retrieved February 3, 2025.", "url": "https://www.mphasis.com/content/dam/mphasis-com/global/en/home/services/cybersecurity/scattered-spider-conducts-sim-swapping-attacks-12.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-14T21:25:32.275Z", "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used SIM swapping to bypass MFA and to maintain persistence on mobile carrier networks and SIM cards.(Citation: Mphasis SS_SIM_Swap Apr2024)(Citation: Mandiant UNC3944 May 2025)(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: Check Point Scattered Spider JUL 2025)", "relationship_type": "uses", "source_ref": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b", "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf", "created": "2023-12-18T19:05:38.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:26.003Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9", "created": "2020-07-20T13:27:33.509Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:26.218Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device\u2019s call log.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--22041a01-75e7-4ff6-8768-ad45188c53c7", "created": "2023-02-28T21:45:25.064Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:26.432Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can obtain a list of installed applications.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--22290cce-856a-46d5-9589-699f5dfc1429", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:00.475Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) covertly records phone calls.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--22334426-e99f-4e97-b4dd-17e297da4118", "created": "2020-12-24T21:55:56.696Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:26.863Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured SMS and MMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--22512e29-4524-45d3-88b7-d9ca764f7b3d", "created": "2025-03-24T20:13:57.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:27.088Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has plugins for executing shell commands either from the C2 server or a library file called `zt.dylib`.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--226d2f3c-5d28-4599-9373-d3001f4c4b55", "created": "2025-09-18T14:38:43.084Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:38:43.084Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has listed files and pictures on the device starting from `/mnt/sdcard/`.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--22708018-defd-4690-8b0f-fe47e11cb5d6", "created": "2020-07-15T20:20:59.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:00.921Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can capture all device notifications and hide notifications from the user.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2270d987-4698-4b59-9186-3d7637cf6599", "created": "2025-03-28T14:39:53.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:27.537Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has extracted the device\u2019s keychain.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8", "created": "2023-08-04T18:32:57.089Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:27.770Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can record environmental and call audio.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--22773074-4a95-48e0-905f-688ce048b5ed", "created": "2020-04-24T17:46:31.593Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:27.991Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--22e90a62-3f31-4190-98ee-eabede72eb07", "created": "2025-03-28T14:59:44.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" }, { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:28.240Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used 3DES and AES to encrypt C2 communication and data.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6", "created": "2021-01-05T20:16:20.484Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:01.504Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can track the device\u2019s location.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--22f5308c-77ee-4198-be1c-54062aa6a613", "created": "2020-12-31T18:25:05.160Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:28.701Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2305ceb7-f237-42bb-9a45-e245d8f82cde", "created": "2025-06-25T15:36:59.718Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-25T15:36:59.718Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has obtained a list of installed cryptocurrency wallet applications.(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14", "created": "2019-07-10T15:35:43.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:01.825Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves a list of all applications installed on the device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--23522416-9493-4960-8408-f7befae7be60", "created": "2024-02-20T23:59:14.650Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:29.125Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has collected the device\u2019s phone number and can check if the active network connection is metered.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081", "created": "2023-01-18T19:19:01.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:29.381Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use Accessibility Services to disable Google Play Protect.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2", "created": "2023-01-18T19:57:13.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:29.580Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use Accessibility Services to detect which process is in the foreground.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798", "created": "2020-10-29T19:01:13.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:02.386Z", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has employed both name mangling and meaningless variable names in source. [AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has stored encrypted payload code in the Assets directory, coupled with a custom decryption routine that assembles a .dex file by passing data through Android Intent objects. (Citation: Microsoft MalLockerB)", "relationship_type": "uses", "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--23ecc134-0623-45ec-b8b5-52516483bda1", "created": "2023-04-14T14:10:04.452Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:29.989Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has used code abstraction and anti-emulation checks to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--23f4525e-adc8-42bd-bcaa-0373442553aa", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0e600ee5-de14-46f8-ada2-c0aee4ce969e", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f", "created": "2022-04-01T18:52:13.171Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:30.254Z", "description": "Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2421a94b-d71a-4c37-b5b0-3e12a92d8167", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--411f7c72-356c-4de6-bbf0-27a7952d3be5", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--242dc659-c205-4e9e-95f9-14fee66195af", "created": "2022-04-01T15:29:36.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:30.450Z", "description": "Configuration of per-app VPN policies instead of device-wide VPN can restrict access to internal enterprise resource access via VPN to only enterprise-approved applications", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--243bafe0-206c-4a17-94a6-4ff0492ebc7a", "created": "2024-03-26T19:33:50.343Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" }, { "source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:30.665Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can capture pictures and videos.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53", "created": "2020-07-15T20:20:59.318Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:03.123Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--24a7379e-a994-411b-b17c-add6c6c6fc07", "created": "2020-12-24T21:45:56.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:03.328Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has hidden malicious functionality in a second stage file and has encrypted C2 server information.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:31.332Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2", "target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--24db9a56-c868-43b7-a20c-99c6ff60ba62", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--bd3d39c3-e5d5-4ce7-9e1b-1b9598352dc5", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48", "created": "2020-09-24T15:34:51.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:31.538Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can intercept SMS messages.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--25466097-53c6-4dc7-8409-197758e88673", "created": "2023-08-16T16:45:11.580Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-07-07T21:58:08.241Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has downloaded HTML overlay pages after installation.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--25655385-5b0d-4700-a59f-d5d043625b84", "created": "2023-02-06T18:50:50.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:31.953Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can use rooting exploits to silently give itself permissions or install additional malware.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3", "created": "2023-12-18T18:09:56.997Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" }, { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:32.267Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can uninstall itself and remove traces of infection.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527", "created": "2019-09-04T14:28:16.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:32.477Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve nearby cell tower and Wi-Fi network information.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3", "created": "2023-03-03T16:26:48.531Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:32.711Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected compromised device MAC addresses.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd", "created": "2020-04-08T18:55:29.196Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:32.911Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) exfiltrates data encrypted (with RC4) by its ransomware module.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--268c12df-d3bc-46fa-99e9-32caab50b175", "created": "2022-03-30T15:52:09.759Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:33.130Z", "description": "Device attestation can often detect jailbroken or rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--268c2962-a557-4782-a40b-eef430c87740", "created": "2025-03-24T14:51:33.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:33.367Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the official icon of the Korean police application and the package name \u201ckpo,\u201d which contain references related to the Korean police.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--269d4409-e287-4ef3-b5f3-765ec03e503e", "created": "2020-06-02T14:32:31.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:33.578Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) grants itself permissions by injecting its hash into the kernel\u2019s trust cache.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--26a97b10-7344-4365-8169-c9ec735fda73", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3f3f3518-90bb-44fc-8ef0-dbfab75b79cc", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7", "created": "2022-04-01T18:45:11.299Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:33.818Z", "description": "Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51", "created": "2022-04-01T12:37:17.515Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:34.039Z", "description": "OS feature updates often enhance security and privacy around permissions. ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--26c2626b-92a0-4798-b9f3-00abf12a817b", "created": "2025-03-28T14:41:49.137Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:34.264Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has deleted an implant module or specified files.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--27050442-e578-44b7-9534-ada78824befe", "created": "2023-02-06T19:45:09.612Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:34.475Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can intercept and read SMS messages.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--271a311f-71bc-4558-a314-0edfbec44b64", "created": "2019-11-21T16:42:48.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:05.136Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) collects device information, including the device model and OS version.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--27247071-356b-4b5f-bc8f-6436a3fec095", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:05.423Z", "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's location.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9", "created": "2023-02-28T21:42:52.037Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:35.312Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request location permissions.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2793d721-df10-4621-8387-f3342def59a1", "created": "2022-03-30T18:14:36.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:35.525Z", "description": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--279b016a-45c8-4961-88fa-48162e56c3fa", "created": "2024-02-21T20:49:34.244Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:35.752Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card information, and Wi-Fi information.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea", "created": "2020-07-15T20:20:59.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:06.081Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect all accounts stored on the device.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c", "created": "2020-07-27T14:14:56.954Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:06.278Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can obtain root access via a rooting trojan in its infection chain.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--27cb4c94-c84a-4420-b213-442e4907d8e7", "created": "2025-10-08T14:37:36.242Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:37:36.242Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has accessed the device\u2019s contact list.(Citation: Lookout_DCHSpy_July2025)", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6", "created": "2022-04-01T14:59:53.782Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:36.352Z", "description": "Device attestation can often detect jailbroken devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a", "created": "2020-12-28T18:47:52.357Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:36.551Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can run commands as root.(Citation: Palo Alto HenBox) ", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2", "created": "2020-04-24T17:46:31.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:36.762Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) communicates with the C2 by sending JSON objects over unencrypted HTTP requests.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--289f5e23-088a-4840-a2a6-bab30da2a64b", "created": "2022-04-01T16:51:04.584Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "GoogleIO2016", "description": "Adrian Ludwig. (2016, May 19). What's new in Android security (M and N Version). Retrieved December 9, 2016.", "url": "https://www.youtube.com/watch?v=XZzLjllizYs" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:36.985Z", "description": "Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.(Citation: GoogleIO2016)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad", "created": "2020-12-24T21:55:56.752Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:37.218Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploits to root devices and install additional malware on the system partition.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--290a627d-172d-494d-a0cc-685f480a1034", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" }, { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:37.420Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects call logs.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15", "created": "2021-09-24T14:47:34.447Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:07.258Z", "description": "Device attestation can often detect rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--292ea094-7278-4f69-9bb6-64a8aaa72e33", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--1147c50d-907a-4c0d-8375-e23cadeae5f9", "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--29357289-362c-447c-b387-9a38b50d7296", "created": "2022-04-15T17:20:06.338Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" }, { "source_name": "Check Point-Joker", "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020.", "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:37.831Z", "description": "[Bread](https://attack.mitre.org/software/S0432) uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. [Bread](https://attack.mitre.org/software/S0432) has also abused Java and JavaScript features to obfuscate code. [Bread](https://attack.mitre.org/software/S0432) payloads have hidden code in native libraries and encrypted JAR files in the data section of an ELF file. [Bread](https://attack.mitre.org/software/S0432) has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.(Citation: Check Point-Joker)(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224", "created": "2019-09-03T20:08:00.670Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:07.556Z", "description": " [Gustuff](https://attack.mitre.org/software/S0406) can capture files and photos from the compromised device.(Citation: Talos Gustuff Apr 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--29703cf5-5f27-4a96-a27b-983bc1c2d5c7", "created": "2026-02-16T15:49:08.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T15:49:08.774Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has decrypted the encrypted APK file security.dat using the `decryptFile` function in the `native-lib` library.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590", "created": "2019-09-23T13:36:08.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:38.276Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can access and upload the contacts list to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:38.476Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) uploads incoming SMS messages to a remote command and control server.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce", "created": "2020-12-18T20:14:47.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:07.932Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has used timer events in React Native to initiate the foreground service.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2a472430-c30e-4877-8933-2e75f1de9a01", "created": "2022-03-30T14:00:45.120Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:38.892Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92", "created": "2024-02-21T21:08:13.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:39.087Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0", "created": "2023-02-28T20:30:01.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" }, { "source_name": "Europol FluBot Jun2022", "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.", "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:39.299Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) has used the contact list to infect more devices.(Citation: proofpoint_flubot_0421)(Citation: Europol FluBot Jun2022) ", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2ac32eb8-ff7e-468a-8bbd-f5af82e0102a", "created": "2025-03-24T20:13:08.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:39.505Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s KeyChain data.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2ac927da-8d38-4529-9534-0fc93ffb2faf", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0a21ca34-ffa0-4b6f-b88c-9ffdb6a7c38f", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--2acc0c1a-af30-4410-976b-31148df5378d", "created": "2022-03-28T19:39:42.538Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:39.720Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2ae97bcd-0481-415c-8337-12d3a30e6911", "created": "2024-02-20T23:58:31.474Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:39.927Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2af26be3-f910-4700-ab14-9d14532601cc", "created": "2023-07-21T19:53:32.703Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:40.142Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access the device\u2019s call log.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7", "created": "2023-01-18T19:19:34.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:40.386Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can send stolen data back to the C2 server.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22", "created": "2024-03-26T19:04:29.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:40.847Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can read SMS messages.(Citation: fb_arid_viper) ", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2ba3af4e-97d8-45e8-93e0-8fa857944edd", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--afab91d6-8af3-47cd-b899-cacfbb8cad6d", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--2bdb3316-10c5-4aa5-95e0-dc7c5ccae432", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--86f11b86-e189-47f1-8436-e46c7f0a4a69", "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16", "created": "2021-02-17T20:43:52.420Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:09.344Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved device images for exfiltration.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:41.465Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole call logs.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1", "created": "2020-07-20T13:27:33.514Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:41.690Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete files from the device.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd", "created": "2020-09-11T14:54:16.644Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:09.738Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can list files stored on external storage.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57", "created": "2024-03-26T18:41:48.583Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:42.099Z", "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) can collect the victim\u2019s phone number, device information, IMSI, etc.(Citation: checkpoint_hamas_android_malware) ", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6", "created": "2023-01-19T18:07:26.323Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:42.315Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can utilize WebViews to display fake authentication pages that capture user credentials.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2cdd5474-620c-499e-8b9c-835505febc2c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:42.754Z", "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", "relationship_type": "uses", "source_ref": "malware--d89c132d-7752-4c7f-9372-954a71522985", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f", "created": "2023-08-16T16:38:15.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-07-07T21:59:17.428Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has performed system checks to verify if the device is rooted or has ADB enabled; if found, [Chameleon](https://attack.mitre.org/software/S1083) will avoid execution.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b", "created": "2021-02-17T20:49:24.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:43.165Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) can run arbitrary shell commands.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2d3198ff-a481-47ec-ae64-13d7be706929", "created": "2023-02-28T21:41:47.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:43.373Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record video from the device camera.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2d6f830f-411c-48e5-8b7e-6d9e01244070", "created": "2025-10-08T20:13:43.780Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:13:43.780Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used a SOCKS proxy.(Citation: ThreatFabric_Chameleon_Dec2023)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-XcodeGhost", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:10.646Z", "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can read and write data in the user\u2019s clipboard.(Citation: PaloAlto-XcodeGhost)", "relationship_type": "uses", "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2e08820f-a81d-480e-9e60-f14db3e49080", "created": "2019-09-04T14:28:15.909Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:10.810Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can take photos and videos.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8", "created": "2019-09-04T15:38:56.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:10.991Z", "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can take screenshots of other applications.(Citation: FlexiSpy-Features) ", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1", "created": "2020-12-24T21:45:56.920Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:44.220Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has attempted to trick users into enabling installation of applications from unknown sources.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010", "created": "2023-12-18T18:08:09.656Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" }, { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:44.433Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can capture and send real-time screen output.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e", "created": "2020-06-02T14:32:31.888Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:11.335Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) obfuscates various pieces of information within the application.(Citation: Volexity Insomnia) ", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3", "created": "2020-12-18T20:14:47.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:44.858Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings(Citation: WhiteOps TERRACOTTA).", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0", "created": "2019-09-04T20:01:42.722Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:45.076Z", "description": "Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2e7f8995-93ae-41bb-9baf-53178341d93e", "created": "2021-02-08T16:36:20.630Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:45.304Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has deployed anti-analysis capabilities during their Operation BULL campaign.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2e826926-fd5b-407c-adbc-e998058728d3", "created": "2019-09-04T15:38:56.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:11.836Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record both incoming and outgoing phone calls, as well as microphone audio.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2e913583-123a-47af-8872-98fc12ab4a6a", "created": "2020-11-24T17:55:12.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:12.038Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can send SMS messages.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2eb063cd-c8cf-4651-b849-454a55daff76", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--2627c9c4-0241-41b7-b494-657cc58d4611", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055", "created": "2020-01-27T17:05:58.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:45.926Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect SMS messages.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76", "created": "2019-10-18T14:50:57.472Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:46.131Z", "description": "Security updates frequently contain patches for known exploits.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2f2ae4a3-1ed9-4c90-86dc-d12c3a860349", "created": "2025-03-24T17:58:36.182Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:46.369Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has compromised iPhones running iOS 12.1 and 12.2 without any user interaction.(Citation: Shoshin_Kaspersky LightSpy 2020) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2f41ab75-3490-4642-8111-9d4d43b88df7", "created": "2023-08-04T18:32:23.019Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:46.575Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can take screenshots and abuse accessibility services to scrape BlackBerry Messenger and WhatsApp messages, contacts, and notifications(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2f55e452-f8b3-402b-a193-d261dac9f327", "created": "2022-04-01T18:53:48.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:46.799Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2f63c5a0-db78-4f81-bbdd-46fccf06bf9c", "created": "2025-08-29T21:59:48.642Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T21:59:48.642Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has imitated Google Play Protect, a security application pre-installed on all Android devices, and its functionalities, such as scanning the device and requesting for the accessibility service.(Citation: MerkleScience_Godfather_April2023)", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3", "created": "2021-04-19T14:29:46.530Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:12.775Z", "description": " [SilkBean](https://attack.mitre.org/software/S0549) can send SMS messages.(Citation: Lookout Uyghur Campaign) ", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2f97c0cb-ec84-4b5d-ac2c-c3b1c9da2142", "created": "2025-09-08T16:32:57.240Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-08T16:32:57.240Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865", "created": "2023-09-28T17:21:02.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:47.418Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can take photos using the device cameras.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2f9e034e-1e97-4efc-8afc-6557894554fa", "created": "2026-02-16T15:55:55.915Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:08:39.676Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `FOREGROUND_SERVICE` permission.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025) [DocSwap](https://attack.mitre.org/software/S9005) has also used the StartForeground API to generate a notification saying \u201cTap to view more details or stop the app\u201d in Korean and to maintain persistence.(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2", "created": "2022-04-01T13:27:29.919Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:47.620Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386", "created": "2023-08-04T19:02:39.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:47.816Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) has impersonated chat applications such as Fruit Chat, Cucu Chat, and Kako Chat.(Citation: lookout_hornbill_sunbird_0221) ", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--300c824d-5586-411b-b274-8941a99a98fb", "created": "2022-03-30T14:06:01.859Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:48.013Z", "description": "Device attestation can often detect jailbroken or rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3020bb16-fb1f-46f9-9e1c-3b3317af6b96", "created": "2024-03-28T18:27:40.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:48.220Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect file lists on the victim device.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761", "created": "2023-12-05T22:17:17.084Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:48.660Z", "description": "Security updates frequently contain patches for known software vulnerabilities.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--30ab9ce7-5369-402a-94ee-f8452642acb9", "created": "2022-03-30T19:50:37.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:48.873Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--30d02956-90ed-4556-bf04-8494a6ce5f04", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--19bf9f62-3909-4d68-b287-bb9ccd826fe5", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--30ff0aa8-7931-4a1c-880a-3e72b62bbc29", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--39efdb0b-2a05-4caf-8f37-876dfad294d6", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546", "created": "2023-07-21T19:53:45.997Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:49.081Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can request camera permissions.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:13.910Z", "description": "(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "target_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f", "created": "2022-03-30T18:14:04.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec-iOSProfile2", "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018.", "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles" }, { "source_name": "Android-TrustedCA", "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018.", "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:49.513Z", "description": "Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--319d46b5-de41-4f23-9001-2fa75f954720", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:49.730Z", "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", "relationship_type": "uses", "source_ref": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3230c032-17e0-49f7-b948-c157049aafe2", "created": "2017-10-25T14:48:53.742Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:50.156Z", "description": "Users should ensure bootloaders are locked to prevent arbitrary operating system code from being flashed onto the device.", "relationship_type": "mitigates", "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3237f5ff-b870-41a7-8448-6f6b387db61d", "created": "2025-06-25T15:34:46.220Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-25T15:34:46.220Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has been distributed through the threat actors\u2019 Telegram group, fake TikTok and Twitter accounts, and YouTube videos.(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3255ffee-496e-4ad2-b79d-ddaff4a31eba", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ef792e16-8b1c-452d-a3ae-1ad4b5577a4d", "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3272111a-f31d-47d5-a266-1749255b5016", "created": "2019-09-23T13:36:08.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:50.370Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can be controlled through SMS messages.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--327d0102-2113-4e12-be68-504db097a6fd", "created": "2019-08-07T15:57:13.409Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:50.562Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) communicates with the command and control server using HTTP requests.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--32958f57-ad9b-4fe1-abf3-6f92df895014", "created": "2019-08-05T13:22:03.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:14.865Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--329b14a1-df5f-4112-b062-175ef9447728", "created": "2026-02-16T15:56:16.538Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T15:56:16.538Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `READ_EXTERNAL_STORAGE` and `MANAGE_EXTERNAL_STORAGE` permissions.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--32a28692-0297-40b9-b853-4996cf5541ec", "created": "2025-10-08T14:42:19.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:42:19.577Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has captured photos from the device by taking control of the camera.(Citation: Lookout_DCHSpy_July2025) ", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--32be51e2-f74d-441f-aa0d-952697a76494", "created": "2019-09-04T15:38:56.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:15.180Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses a `FileObserver` object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. [FlexiSpy](https://attack.mitre.org/software/S0408) can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--33316f49-f1fb-453a-9ba7-d6889982a010", "created": "2020-07-20T13:27:33.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:15.398Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can obtain a list of installed applications.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--33329d7b-aa21-4c0d-a570-5e35e2e0cc9d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--694c70ab-0518-432a-a149-a7b185ad814b", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3364dd33-c012-4aaf-852b-86e63bd724ac", "created": "2023-02-06T19:38:22.312Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" }, { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:51.409Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather session cookies from infected devices. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also abuse Accessibility Services to steal Google Authenticator tokens.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--33857221-2543-4a7f-8255-b0d140d70ad7", "created": "2020-07-20T13:27:33.461Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:15.895Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record call audio.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--34351abd-1f58-420a-a893-ad822839815d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:51.819Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures call logs.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0", "created": "2020-12-14T14:52:03.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:16.179Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can download additional overlay templates.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--348d1acd-3f37-4523-95cd-ae002c02c975", "created": "2023-08-23T22:17:46.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:53.093Z", "description": "Users should be wary of iMessages from unknown senders. Additionally, users should be instructed not to open unrecognized links or other attachments in text messages. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3498d304-48e3-4fe4-a3ab-fc261104f413", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:16.556Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record audio using the device microphone.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--349c2f82-1166-4dab-88d0-cfe920804b70", "created": "2023-12-18T19:06:41.939Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:53.524Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can exfiltrate collected data to the C2, such as audio recordings and files.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f", "created": "2019-11-21T19:16:34.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:53.723Z", "description": "[SimBad](https://attack.mitre.org/software/S0419) registers for the `BOOT_COMPLETED` and `USER_PRESENT` broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.(Citation: CheckPoint SimBad 2019)", "relationship_type": "uses", "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--34b6abb0-d199-46bb-af21-b65560e75658", "created": "2022-04-01T19:06:40.361Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:53.934Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--34d5905b-486c-4ccc-969a-ef39905e9aff", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b18a1df7-1b2b-4294-963a-e7c9b6489c34", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--34dd5c26-eec9-4288-8e53-677271d490b2", "created": "2023-01-18T19:46:02.646Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:54.146Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use accessibility event logging to steal data in text fields.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--34f9aed0-48a7-4815-8456-5541a7b8210f", "created": "2019-09-04T14:28:16.487Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:54.362Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can record the user's keystrokes.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--352fabc8-48fe-4190-92b3-49b00348bb22", "created": "2019-03-11T15:13:40.454Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-Anserver", "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:54.565Z", "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.(Citation: TrendMicro-Anserver)", "relationship_type": "uses", "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--35453bbb-c9b3-4421-8452-95efdd290d21", "created": "2021-01-20T16:01:19.323Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zimperium z9", "description": "zLabs. (2019, November 12). How Zimperium\u2019s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021.", "url": "https://blog.zimperium.com/how-zimperiums-z9-detected-unknown-mobile-malware-overlooked-by-the-av-industry/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:17.366Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of running processes.(Citation: Zimperium z9)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--35927c96-7645-4ef3-b3da-e44822386a10", "created": "2023-01-18T21:43:10.838Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:55.178Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c", "created": "2023-08-16T16:44:09.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-07-07T21:59:37.780Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used HTTP to communicate with the C2 server.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--35a12ae8-562d-4e24-979e-ef970dde0b94", "created": "2022-04-15T17:52:24.125Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:55.587Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:55.823Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) tricks the user into sending SMS messages to premium services and then deletes those messages.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3", "created": "2020-11-24T17:55:12.830Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:56.023Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can read SMS messages.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--36268322-9f5e-4749-8760-6430178a3d68", "created": "2020-06-26T14:55:13.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:56.223Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can intercept SMS messages.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--36298fd6-d909-4490-8a04-095aef9ffafe", "created": "2020-11-20T15:54:07.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:18.492Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can record audio from the microphone and phone calls.(Citation: Symantec GoldenCup) ", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:56.649Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses HTTP requests for C2 communication.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3680408d-e56e-4d68-a74d-2678093ed53f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:42:46.467Z", "relationship_type": "revoked-by", "source_ref": "intrusion-set--9559ecaf-2e75-48a7-aee8-9974020bc772", "target_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--36874e30-f649-4e46-a4b9-195273b6df6e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--1098f1d3-7dfa-4dc0-b524-98af5588f6f7", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10", "created": "2020-06-26T15:32:25.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:18.955Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can update the malicious payload module on command.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3721782f-351b-430d-8667-df78ac3db541", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7c7aa84d-8425-42cc-b0bc-5d384b04d99a", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631", "created": "2020-11-24T17:55:12.885Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:19.134Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "HackerNews-OldBoot", "description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.", "url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:19.322Z", "description": "[OldBoot](https://attack.mitre.org/software/S0285) uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.(Citation: HackerNews-OldBoot)", "relationship_type": "uses", "source_ref": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc", "created": "2020-12-24T21:55:56.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:19.596Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured audio and can record phone calls.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--375ead49-d7ac-4664-bd46-a266764cddc8", "created": "2025-08-29T22:10:52.147Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:10:52.147Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has leveraged WebSockets for C2.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--37a6f20d-e739-43df-97fb-c39ae93b2725", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--effced27-7981-400b-9f22-e3c28144258f", "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--37d14338-b629-4b54-b734-446789b79f6f", "created": "2023-10-10T15:33:57.641Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:58.138Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) has used icons from popular applications.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--37ee0a2d-bf61-4d71-98a4-6a9fbf28a85c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--80e1ef21-9454-4000-ae75-d7a5ae8e703b", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517", "created": "2023-08-16T16:45:37.235Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-07-07T21:59:58.825Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has communicated over port 7242 using HTTP.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3832d2cf-0568-451d-aac9-6fb809fc423d", "created": "2024-02-20T21:45:45.021Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cyfirma Bahamut", "description": "Cyfirma. (2023, February 10). APT Bahamut Attacks Indian Intelligence Operative using Android Malware. Retrieved February 23, 2024.", "url": "https://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:58.568Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has hidden multimedia files from the user.(Citation: Cyfirma Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--383e5b12-061e-45c6-911b-b37187dd9254", "created": "2021-02-08T16:36:20.701Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:20.159Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3841024e-1047-40fa-9e25-ac6d5c14612a", "created": "2023-02-28T21:41:22.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:59.011Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view device contacts.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3857f790-6ea1-4f37-8d90-90904f175d63", "created": "2023-01-18T21:37:55.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:59.227Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) has C2 commands that can uninstall the app from the infected device.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91", "created": "2020-10-29T19:21:23.187Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:59.426Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can hide its icon and create a shortcut based on the C2 server response.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--386b0a9f-9951-4717-8bce-30c8fbe05050", "created": "2020-06-26T15:32:24.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:20.658Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) uses standard payload and string obfuscation techniques.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b", "created": "2024-02-23T19:53:28.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:47:59.870Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--38962b26-7cbe-4761-8b4f-50a022167c4d", "created": "2019-09-03T20:08:00.708Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:00.073Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) checks for antivirus software contained in a predefined list.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951", "created": "2023-01-19T18:08:14.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:00.312Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) has encrypted C2 details, email addresses, and passwords.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4", "created": "2023-03-30T15:18:37.934Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:00.521Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can take screenshots and abuse the Android Screen Cast feature to capture screen data.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e", "created": "2020-12-14T14:52:03.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:21.283Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can send SMS messages.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d", "created": "2020-09-11T14:54:16.587Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:00.926Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can retrieve SMS messages.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a", "created": "2020-11-20T16:37:28.591Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:01.358Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has communicated with the C2 using MQTT and HTTP.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--39953612-a6e4-456a-9f9c-860dc5fed10b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0d03e753-a278-4a32-a33f-6199967220de", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0", "created": "2022-04-11T20:05:56.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:01.767Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3a13ea43-f3d7-4b12-93fa-65eb44d02b5e", "created": "2025-09-18T14:39:35.445Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:39:35.445Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has exfiltrated collected data to the C2.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3a282967-0536-474d-8831-30cd60b818a9", "created": "2023-09-28T17:20:38.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:02.214Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can initiate phone calls.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010", "created": "2024-02-20T23:51:50.439Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:02.417Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3a7d4872-2bfb-4df3-ad53-91c8229b9b41", "created": "2024-03-28T18:10:46.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:02.628Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to obfuscate code and strings to evade detection.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a", "created": "2022-04-01T14:51:51.593Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:02.864Z", "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3abc80ad-4ea0-4e91-a170-f040469c2083", "created": "2020-07-20T13:27:33.483Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:22.464Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can take photos and videos.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd", "created": "2022-04-01T15:02:43.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:03.283Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3ac8d515-8b04-4502-b0fe-b8d7d9fc410a", "created": "2025-09-17T14:58:52.937Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-17T14:58:52.937Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265", "created": "2021-04-19T14:29:46.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:03.481Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign) ", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:03.690Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9", "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:03.895Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used HTTP uploads to a URL as a command and control mechanism.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3b55245d-6a26-4ecd-8f2f-305f8dbd572c", "created": "2025-08-29T22:06:09.103Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:06:09.103Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has intercepted API returns from banking apps that detect malicious services, and modifies the methods to return back an empty list hiding the presence of the malware and other active services.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3bcd5bc8-4998-4f71-85d6-27f0cb22e895", "created": "2025-03-28T15:08:46.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" }, { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:04.323Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors monitored the device\u2019s geolocation.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3bf4b093-a1a3-48da-9236-bce9514765eb", "created": "2022-04-05T19:46:05.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Samsung Keyboards", "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20201112021547/https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:04.757Z", "description": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards)", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3bf5a566-986b-478c-b2da-e57caf261378", "created": "2019-09-03T19:45:48.515Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:04.965Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414", "created": "2019-10-18T14:50:57.521Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:05.169Z", "description": "Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3c291ee5-1782-4e5b-8131-5188c7388f45", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:23.640Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers the device phone number and IMEI and transmits them to a command and control server.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7", "created": "2019-10-15T19:33:42.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:23.814Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can track the device's location.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3c43d125-6719-420e-bb69-878cc91c2474", "created": "2020-09-15T15:18:12.428Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:05.821Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can register for the `BOOT_COMPLETED` broadcast Intent.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3c4ea7a5-251c-4d10-a724-f4a247f44637", "created": "2025-04-14T16:32:24.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:06.031Z", "description": "Using an XOR-chain algorithm, [LightSpy](https://attack.mitre.org/software/S1185) decrypts an embedded configuration blob containing URLs for jailbreak components and next-stage payloads. It also decrypts modules in memory and on disk using AES-ECB with the hardcoded key `3e2717e8b3873b29`.(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) Additionally, [LightSpy](https://attack.mitre.org/software/S1185)\u2019s plugins have been encrypted during transmission.(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3c57ee56-34bc-4f0c-b363-68dab3e5e7b3", "created": "2023-10-10T15:33:58.361Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Proofpoint-Droidjack", "description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.", "url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:06.270Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.(Citation: Proofpoint-Droidjack)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5", "created": "2023-08-16T16:40:34.787Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-07-07T22:00:11.758Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered device location data.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad", "created": "2020-04-24T15:06:33.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:06.714Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect the device\u2019s call log.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3c90dc4c-8156-49ae-8144-76526268a6c1", "created": "2023-08-04T18:32:08.706Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:06.927Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can request device administrator privileges. (Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a", "created": "2019-07-16T14:33:12.175Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Triada March 2016", "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", "url": "https://www.kaspersky.com/blog/triada-trojan/11481/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:07.125Z", "description": "[Triada](https://attack.mitre.org/software/S0424) variants capture transaction data from SMS-based in-app purchases.(Citation: Kaspersky Triada March 2016) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00", "created": "2020-09-15T15:18:12.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:24.723Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect a list of installed applications.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:24.961Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to exploit well-known Android OS vulnerabilities to escalate privileges.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3d5a1472-4042-49a4-8b66-7ff1fcfee92c", "created": "2024-04-18T15:36:58.833Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Mandiant UNC3944 May 2025", "description": "Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.", "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations" }, { "source_name": "MSTIC Octo Tempest Operations October 2023", "description": "Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.", "url": "https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-13T19:54:33.892Z", "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Mandiant UNC3944 May 2025) ", "relationship_type": "uses", "source_ref": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b", "created": "2021-01-05T20:16:20.419Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:25.317Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture audio from the device\u2019s microphone and can record phone calls.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3dac9ed8-7b92-44fb-bf04-3f2179c37851", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--62779c6a-e43b-4ea8-be38-f40191338089", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3dc016c9-fd28-4e02-899a-8f2b54a5d2ff", "created": "2025-05-19T18:26:02.873Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "GTIG_SignalAbuse_Feb2025", "description": "Black, D. (2025, February 19). Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger. Retrieved April 30, 2025.", "url": "https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-05-19T18:29:46.270Z", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used the linked devices feature to connect Signal accounts on devices captured on the battlefield to adversary-controlled infrastructure for follow-on exploitation.(Citation: GTIG_SignalAbuse_Feb2025)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3dd0cd4d-bcde-4105-b98e-b32add191083", "created": "2020-01-27T17:05:58.331Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:08.712Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) exfiltrates data using HTTP POST requests.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3dff770d-9627-4647-b945-7f24a97b2273", "created": "2019-09-15T15:26:22.926Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:25.977Z", "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de", "created": "2023-06-09T19:17:12.858Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:09.121Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can record environmental and call audio.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3e2474d3-f36d-4193-92f6-273296befdd3", "created": "2022-04-05T19:38:18.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:09.351Z", "description": "Users should protect their account credentials and enable multi-factor authentication options when available. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60", "created": "2020-11-24T17:55:12.828Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:09.550Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can access the device\u2019s contact list.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CrowdStrike-Android", "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:26.651Z", "description": "(Citation: CrowdStrike-Android)", "relationship_type": "uses", "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "target_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364", "created": "2023-02-06T19:46:19.592Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:09.976Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has C2 commands to add an infected device to a DDoS pool.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3e75b212-b0e2-433a-a7e2-9081a2cae056", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b44bea1e-fc01-4c6b-b7c4-dcb0135de936", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56", "created": "2017-10-25T14:48:53.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:10.210Z", "description": "Android 9 introduced a new security policy that prevents applications from reading or writing data to other applications\u2019 internal storage directories, regardless of permissions. ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817", "created": "2019-09-20T18:03:57.062Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android 10 Execute", "description": "Android Developers. (n.d.). Behavior changes: all apps - Removed execute permission for app home directory. Retrieved September 20, 2019.", "url": "https://developer.android.com/about/versions/10/behavior-changes-all#execute-permission" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:10.410Z", "description": "Applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime. (Citation: Android 10 Execute)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3ec30b37-1db2-4048-9dd9-22d863f034bb", "created": "2024-03-26T16:14:04.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "blackberry_mobile_malware_apt_esp", "description": "BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:10.620Z", "description": "[BITTER](https://attack.mitre.org/groups/G1002) has delivered malicious applications to victims via shortened URLs distributed through SMS, WhatsApp, and various social media platforms.(Citation: blackberry_mobile_malware_apt_esp) ", "relationship_type": "uses", "source_ref": "intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3ee5c123-416f-4d02-920d-ce44be7f11a5", "created": "2025-03-28T14:42:05.150Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:10.830Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has obtained a list of installed applications.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3efe7dcc-a572-45ac-aff2-2932206a0632", "created": "2019-08-07T15:57:13.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:11.040Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can access and upload the device's contact list to the command and control server.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3f171bab-ee60-48ca-860f-7adcdb48b1e0", "created": "2026-02-16T15:57:59.932Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T02:04:07.171Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `READ_SMS` and `RECEIVE_SMS` permissions.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) [DocSwap](https://attack.mitre.org/software/S9005) also has the ability to send SMS information, including the sender or receiver, the message content, and the timestamp.(Citation: S2W_DocSwap_Mar2025)", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365", "created": "2019-09-04T14:28:15.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:11.268Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13", "created": "2020-10-29T17:48:27.425Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:11.488Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) has registered to receive the `BOOT_COMPLETED` broadcast intent.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3f392718-87c4-483b-b89f-4f0cc056d251", "created": "2020-07-20T13:58:53.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:27.916Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device\u2019s UDID, version number, and product number.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3f47f048-badd-4476-8534-d06e20c02ec6", "created": "2023-06-09T19:18:59.889Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:11.949Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can use HTTP and HTTP POST to communicate information to the C2.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3f81a680-3151-4608-b83f-550756632013", "created": "2020-07-20T13:58:53.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:28.337Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device\u2019s IMEM, ICCID, and MEID.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3f973c3c-45f8-432a-9859-e8749f2e7418", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:28.510Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645", "created": "2021-02-08T16:36:20.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:28.739Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a", "created": "2020-06-26T14:55:13.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:12.979Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can display popups over running applications.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb", "created": "2023-08-16T16:44:30.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-07-07T22:00:29.252Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has sent stolen data over HTTP.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4009ff40-4616-4b1c-bff9-599e52ccab37", "created": "2020-01-27T17:05:58.263Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:13.438Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s contact list.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4088b31b-d542-4935-84b4-82b592159591", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:29.186Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect contacts and messages from popular applications, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4", "created": "2022-04-05T19:38:41.538Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:13.858Z", "description": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device\u2019s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--40f30137-4db9-4596-b4c7-a12f1497fd92", "created": "2020-11-10T17:08:35.831Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:14.058Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--413cb53b-9cc0-4c6a-bb63-0214405a9249", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c048a994-166a-42d0-a2d3-63e3cbc09117", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151", "created": "2023-12-18T18:50:27.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:14.262Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can request the user unlock the device, or remotely unlock the device.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--418168ad-fee9-42c8-ac27-11f7472a5f86", "created": "2019-09-03T19:45:48.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:14.475Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) One checks in with the command and control server using HTTP POST requests.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--41b72054-bb0d-40e8-b1fc-298fe0ddcb24", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--996f14f4-3419-45f6-af22-edc15f5d5d19", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27", "created": "2025-03-28T14:40:13.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:14.694Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has monitored the device\u2019s geolocation, which includes coordinates, altitude, bearing and speed.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--41da5845-a1a8-4d10-8929-053be3496396", "created": "2022-04-20T17:46:43.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" }, { "source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:14.903Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP data exfiltration.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--41e79691-b3b9-4d7f-9bca-c2d814090ee5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3b8a3713-0f0a-433c-82bd-13b2f9224206", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4", "created": "2022-04-06T15:28:20.249Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:15.122Z", "description": "Users should be instructed to not grant applications unexpected or unnecessary permissions. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--42342d72-a37c-477e-b8f1-1768273fcb7f", "created": "2019-10-18T15:51:48.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:15.321Z", "description": "Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7", "created": "2023-08-16T16:33:12.493Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" }, { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:12:09.676Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has disguised itself as legitimate applications, such as a cryptocurrency application called \u2018CoinSpot,\u2019 the IKO banking application in Poland, and an application used by the Australian Taxation Office (ATO). It has also used familiar icons, such as the Chrome and Bitcoin logos.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023) ", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000", "created": "2022-03-30T15:13:42.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:15.746Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e", "created": "2020-06-26T15:32:24.921Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:15.945Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9", "created": "2023-12-18T18:10:38.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:16.164Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can perform a factory reset.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09", "created": "2021-02-08T16:36:20.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:30.558Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has exfiltrated local account data and calendar information as part of Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Gooligan Citation", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:16.647Z", "description": "[Gooligan](https://attack.mitre.org/software/S0290) can install adware to generate revenue.(Citation: Gooligan Citation)", "relationship_type": "uses", "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--42e5e24c-eeb3-46f3-99f1-81015cd4f34e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--69ceab63-17ce-4e42-b247-055a180e6c2b", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396", "created": "2020-12-14T15:02:35.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:30.803Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has stored encrypted strings in the APK file.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b", "created": "2020-07-20T13:27:33.549Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:31.014Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674", "created": "2023-01-18T19:56:01.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:17.268Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept SMS messages.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:31.316Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather cellular IDs.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50", "created": "2020-06-26T15:32:25.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:17.720Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain the device\u2019s contact list.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38", "created": "2020-05-11T16:37:36.616Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:31.797Z", "description": " [Ginp](https://attack.mitre.org/software/S0423) can inject input to make itself the default SMS handler.(Citation: ThreatFabric Ginp) ", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--43af5696-ac4d-4618-9da9-0784b8f7e433", "created": "2023-12-18T19:07:55.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:18.376Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can collect the device\u2019s contact list.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358", "created": "2020-11-10T17:08:35.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:32.215Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has looked for specific applications, such as MiCode.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--442dd700-2d7d-4cad-8282-9027e4f69133", "created": "2022-03-30T20:31:41.927Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:18.816Z", "description": "New OS releases frequently contain additional limitations or controls around device location access.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--44304163-9a44-4760-bd04-0e14adb33299", "created": "2022-04-01T15:13:40.779Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro iOS URL Hijacking", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", "url": "https://web.archive.org/web/20211023221110/https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-08T16:44:09.587Z", "description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--4449ac76-8329-4483-b152-99b990006cbc", "created": "2019-09-04T15:38:56.937Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:19.270Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect a list of known Wi-Fi access points.(Citation: FlexiSpy-Features) ", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4454a696-7619-40ee-971b-cbf646e4ee61", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:19.473Z", "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to send messages to premium SMS messages.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--44b63426-1ea7-456e-907b-0856e3eab0c3", "created": "2020-12-31T18:25:05.142Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:32.875Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has collected the device\u2019s location.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--44da429b-9dee-43c9-9397-445c6f9e647e", "created": "2022-03-30T19:54:59.651Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:20.091Z", "description": "Android includes system partition integrity mechanisms that could detect unauthorized modifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:20.333Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--45101937-578d-4782-8173-77d26e024763", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--84e15e6c-ddc1-40a0-8e46-ba5605b6345b", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--45253350-c802-4566-a72d-57d43d05fd63", "created": "2020-05-07T15:24:49.530Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:33.327Z", "description": "Security updates frequently contain patches to vulnerabilities.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--45383213-4323-4f77-9f9f-360d6d43c128", "created": "2024-04-02T19:13:21.430Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:20.765Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can retrieve a device\u2019s contact list.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9", "created": "2022-04-06T13:57:38.847Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:20.968Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--455b1287-5784-42b4-91fb-01dac007758d", "created": "2020-09-29T13:24:15.234Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:21.219Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can open a dialog box to ask the user for passwords.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4586277d-bebd-4717-87c6-a31a9be741ed", "created": "2020-12-24T21:45:56.982Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:33.913Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can get file lists on the SD card.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--45b2b93c-86fb-412c-b2e1-d4d267715bd5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--12a7802a-b0c2-4823-b03d-e59b2c4bc4de", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--45cd8890-fd9c-4de8-966c-20b6157d4979", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--24ad5d49-a170-4e03-a194-3cc68ee81e1e", "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb", "created": "2020-12-14T14:52:03.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:21.651Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has used malicious overlays to collect banking credentials.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1", "created": "2022-04-05T19:48:31.354Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:21.875Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e", "created": "2020-01-27T17:05:58.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:22.077Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) registers for the `USER_PRESENT` broadcast intent and uses it as a trigger to take photos with the front-facing camera.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4667e169-d85a-4d0c-9da7-2fe22d1ba873", "created": "2025-03-28T14:39:33.150Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:22.303Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has collected a list of running processes.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--47217be3-b80b-459c-acad-01fc0190e8ac", "created": "2026-02-16T15:58:18.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T15:58:18.776Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `ACCESS_WIFI_STATE` and `CHANGE_WIFI_STATE` permissions.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--4761145d-34ac-4b45-a0d6-a09b1907a196", "created": "2020-12-18T20:14:47.367Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:34.595Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af", "created": "2020-12-14T14:52:03.322Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:22.710Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device\u2019s contact list.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4776d2fc-cb18-4453-8c3d-26d05728c3a8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c1ca9729-d9a0-47fd-98bf-8355ee9fc8e2", "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--477edf7d-cc1f-49b7-9d96-f88399808775", "created": "2022-04-05T20:15:43.660Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:22.920Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4819f391-01de-4525-992b-7e4a4f6667de", "created": "2020-11-20T15:46:51.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:34.987Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can take pictures with the camera.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--481e5d33-eca4-453c-9fec-27ee01d50989", "created": "2023-02-28T21:45:41.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:23.329Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view files and media.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--48486680-530c-4ed9-aca3-94969aa262b6", "created": "2019-07-10T15:35:43.665Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:23.533Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--48552acc-5f1a-422f-90fa-37108446f36d", "created": "2022-03-30T19:14:20.374Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:23.777Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--48854999-1c12-4454-bb7c-051691a081f9", "created": "2022-03-28T19:25:49.640Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:23.994Z", "description": "Ensure Verified Boot is enabled on devices with that capability.", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4896e256-fb04-403c-bbb7-2323b158a6e0", "created": "2022-03-30T19:52:05.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:24.227Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74", "created": "2021-01-05T20:16:20.511Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:35.672Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has contained an alarm that triggers every three minutes and timers for communicating with the C2.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--48c9d015-70bb-4142-8f02-c492b9a2d573", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0abd72c9-7d7f-4e8a-99d7-5ac2f791eb9d", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee", "created": "2023-09-28T17:19:00.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:24.984Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can request the `DISABLE_KEYGUARD` permission to disable the device lock screen password.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4920a041-86f7-495b-896c-4d964950ed7e", "created": "2020-12-17T20:15:22.454Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:35.945Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has contained native libraries.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--492d5699-f885-411a-8431-254fcf33fb12", "created": "2019-08-09T16:14:58.367Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android Capture Sensor 2019", "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019.", "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:25.422Z", "description": "Android 9 and above restricts access to the mic, camera, and other device sensors from applications running in the background. iOS 14 and Android 12 introduced a visual indicator on the status bar (green dot) when an application is accessing the device\u2019s camera.(Citation: Android Capture Sensor 2019)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4943cca6-69b1-4565-ac09-87ebda04584c", "created": "2022-04-01T18:52:02.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:25.625Z", "description": "Users should be taught the dangers of rooting or jailbreaking their device.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--494d08df-ad69-49c4-890a-fb8dd3025491", "created": "2025-08-29T21:59:13.102Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T21:59:13.102Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has hooked onto the `getEnabledAccessibilityServiceList` API to return an empty list of active services, which hides [GodFather](https://attack.mitre.org/software/S1231) and other active services.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--494ece43-ebba-4519-86be-cd5c4d4dd337", "created": "2025-04-14T19:24:14.837Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:25.838Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) collects and compresses data to be exfiltrated using SSZipArchive.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--496976ef-4a0c-4782-95e7-231bd44df162", "created": "2020-12-14T15:02:35.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:36.436Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device information, including device model and OS version.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--49c0c003-433c-467f-93b7-ca585aab8232", "created": "2023-08-16T16:46:17.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-07-07T22:00:48.643Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has registered as an `SMSBroadcast` receiver to monitor incoming SMS messages.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4a408dee-07da-4855-b2ff-be512480ccb5", "created": "2023-01-19T18:08:41.596Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:26.483Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can gather device UDIDs.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4a4a6166-57de-43c1-a0af-5416b561a9d8", "created": "2026-02-16T15:51:23.958Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T15:57:20.429Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `LOCAL_MAC_ADDRESS` and `READ_PRIVILEGED_PHONE_STATE` permissions.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5", "created": "2023-03-03T16:26:20.400Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:26.923Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about running processes.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e", "created": "2020-04-24T15:06:33.519Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:37.007Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application\u2019s notification content.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952", "created": "2020-04-24T17:46:31.564Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:27.369Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can intercept SMS messages.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4a936488-526c-40c1-b2d5-490052cb0e73", "created": "2020-12-31T18:25:05.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:27.569Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can run bash commands.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d", "created": "2023-02-28T21:43:12.487Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:27.776Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can make and block phone calls.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257", "created": "2020-10-29T17:48:27.469Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:37.596Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can forward SMS messages.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3", "created": "2020-09-15T15:18:12.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:28.396Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can hide its icon if it detects that it is being run on an emulator.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4aec0738-2c76-4dc7-af8a-87785e658193", "created": "2021-10-01T14:42:49.152Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:28.591Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can run shell commands.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4af26643-880f-4c34-a4a8-23e89b950c9d", "created": "2019-09-04T15:38:56.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:28.807Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect the device calendars.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4b06c7b6-f557-456a-8c03-0ed740713d29", "created": "2026-03-09T15:35:33.780Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:35:33.780Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has recorded surrounding audio and phone calls from WhatsApp, WhatsApp Business, Signal, and Telegram by requesting `android.permission.RECORD_AUDIO`.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a", "created": "2020-12-24T21:55:56.726Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:38.140Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has downloaded additional code to root devices, such as TowelRoot.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1", "created": "2021-10-01T14:42:49.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:29.262Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4b68bcb1-a512-40f7-9aee-235b3668f022", "created": "2020-01-27T17:05:58.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:38.855Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain clipboard contents.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4b7e117b-0c82-49d0-bee6-119158b3355b", "created": "2023-02-28T20:32:37.800Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" }, { "source_name": "Europol FluBot Jun2022", "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.", "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:29.693Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can disable Google Play Protect to prevent detection.(Citation: proofpoint_flubot_0421)(Citation: Europol FluBot Jun2022) ", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4b838636-bfa4-4592-b72f-3044946b8187", "created": "2020-09-14T14:13:45.236Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:29.889Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate the device\u2019s contact list.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61", "created": "2020-04-24T15:06:33.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:39.302Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can track the device\u2019s location.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1", "created": "2021-02-08T16:36:20.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:39.469Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included video recording in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4bfd9b27-243b-46f7-927a-babc76db65d2", "created": "2025-06-16T17:27:19.466Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-16T17:27:19.466Z", "description": "First, users should be wary of clicking on suspicious text messages, links and emails. Secondly, users should be wary of granting applications accessibility features. Users may check applications that have been granted accessibility features by going to Settings, then Accessibility. Finally, users should be wary of downloading applications; although applications may be on the Google Play Store, they may not be benign (see [Application Versioning](https://attack.mitre.org/techniques/T1661)). ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4c035760-9bf2-40cd-87d1-f286afd76376", "created": "2023-07-21T19:41:45.173Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:30.532Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect clipboard data.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4c363f2c-5d7a-4a9f-9fb5-684b530122f0", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0f41110f-099f-468f-af46-65d2a34f05d9", "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11", "created": "2022-09-29T20:08:54.389Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:30.752Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of exfiltrating specific files directly from the infected devices.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd", "created": "2019-09-03T19:45:48.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:30.950Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can download the address book.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4cb926c1-c242-45c2-be46-07c22435a8a5", "created": "2022-09-30T19:23:02.689Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:31.145Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors that would send information and data from a victim's mobile device to the C2 servers.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c", "created": "2019-09-03T20:08:00.687Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:31.364Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) can intercept two-factor authentication codes transmitted via SMS.(Citation: Talos Gustuff Apr 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3", "created": "2023-02-06T19:43:43.574Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:31.778Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can uninstall itself.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa", "created": "2020-11-24T17:55:12.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:40.368Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has the capability to remotely load plugins and download and compile new .NET code.(Citation: Talos GPlayed) ", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4d537065-9a82-42d5-923d-45194453cc25", "created": "2025-02-12T15:20:54.813Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:32.214Z", "description": "Enterprises should monitor for SIM card changes on the Enterprise Mobility Management (EMM) or the Mobile Device Management (MDM). ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4d542595-1eb0-45aa-9702-9d494142b390", "created": "2019-08-09T18:08:07.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:40.668Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can record video or capture photos when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b", "created": "2021-01-05T20:16:20.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:32.617Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has registered for device boot, incoming, and outgoing calls broadcast intents.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:32.825Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) uses HTTP for command and control.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99", "created": "2023-09-21T22:19:04.080Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:33.023Z", "description": "Enterprises can provision policies to mobile devices for application allow-listing, ensuring only approved applications are installed onto mobile devices. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c", "created": "2023-12-18T18:10:16.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" }, { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" }, { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:33.228Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can log device keystrokes.(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36", "created": "2020-05-07T15:33:32.895Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:33.439Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) shows fraudulent ads to generate revenue.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4df6a22e-489f-400c-b953-cc53bfb708a3", "created": "2020-09-14T14:13:45.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:41.304Z", "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s iOS version can collect device information.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4e68feca-083f-40ed-88d8-2b6a3935c949", "created": "2023-01-18T19:12:11.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:33.862Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use the Android `CallScreeningService` to silently block incoming calls.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7", "created": "2020-07-20T13:27:33.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:34.064Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect SMS messages.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819", "created": "2019-08-07T15:57:13.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:41.699Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can retrieve a list of installed applications. Installed application names are then checked against an adversary-defined list of targeted applications.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446", "created": "2020-12-14T14:52:03.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:34.465Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect SMS messages.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4ed97a0d-2fcf-4c53-8aaa-21e174b28309", "created": "2024-03-28T18:28:13.667Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:34.667Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect call logs.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4ee57616-7205-490c-86c3-c27dcffd8689", "created": "2022-04-06T13:35:43.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:34.929Z", "description": "Recent OS versions have limited access to certain APIs unless certain conditions are met, making [Data Manipulation](https://attack.mitre.org/techniques/T1641) more difficult", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4efa4953-7854-4144-8837-d7831ccbe35d", "created": "2020-04-24T17:46:31.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:42.248Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect a list of installed applications.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:35.364Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) uses SMS for command and control.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:35.572Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses call logs.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54", "created": "2021-10-01T14:42:48.744Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:42.704Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can record audio.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4f812a57-efdc-463b-bf37-baa4bca7502b", "created": "2020-05-04T14:22:20.348Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:35.969Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can uninstall itself from a device on command by abusing the accessibility service.(Citation: SecurityIntelligence TrickMo) ", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4fc165fd-185e-4c70-b423-c242cf715510", "created": "2019-10-07T16:32:27.127Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:36.171Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) checks if it is running in an analysis environment.(Citation: securelist rotexy 2018) ", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760", "created": "2022-03-30T14:41:20.735Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android Changes to System Broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:36.370Z", "description": "Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3", "created": "2023-02-28T21:44:45.063Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:36.569Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can use overlays to cover legitimate applications or screens.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:36.769Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can view contacts.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--501c3f2a-1ae0-4832-9730-3fdf5f31df5c", "created": "2025-03-27T22:38:07.896Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Europol FluBot Jun2022", "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.", "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:36.973Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) has collected credentials, banking details and other information from the victim device.(Citation: Europol FluBot Jun2022) ", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b", "created": "2023-07-21T19:51:08.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:37.222Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access a device\u2019s location.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966", "created": "2023-08-04T18:31:30.237Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:37.499Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can access images stored on external storage.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--506d657b-1634-442e-8179-7187f82feb3a", "created": "2020-12-24T21:55:56.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:37.715Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the call logs.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24", "created": "2020-01-27T17:05:58.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:43.810Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can track the device\u2019s location.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794", "created": "2020-04-08T15:41:19.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:38.121Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect the device\u2019s ID.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--50bab448-fee6-49e9-a296-498fe06eacc7", "created": "2019-11-21T16:42:48.490Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:44.095Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can obtain a list of installed applications.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--50c81a85-8c70-48df-a338-8622d2debc74", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:38.523Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather call logs.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97", "created": "2023-09-28T17:20:00.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:38.729Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can request coarse and fine location permissions to track the device.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--50e3b570-2e9a-409b-973a-3ce91b9579d4", "created": "2024-03-28T18:32:05.099Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:38.945Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to receive files from the C2 and execute them via the parent application.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--50f03c00-5488-49fe-a527-a8776e526523", "created": "2020-11-24T17:55:12.820Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:44.561Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect a list of installed applications.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5107be8a-b5fc-4442-af0d-2c92e086a912", "created": "2020-05-11T16:13:43.062Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:44.771Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) checks if a targeted application is running in user-space prior to infection.(Citation: CheckPoint Agent Smith) ", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--51457698-e98b-435a-88c2-75a82cdc2bda", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:39.579Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads call logs.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab", "created": "2022-04-11T20:06:38.811Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:39.792Z", "description": "Mobile security products that are part of the Samsung Knox for Mobile Threat Defense program could examine running applications while the device is idle, potentially detecting malicious applications that are running primarily when the device is not being used.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--51757971-17ac-40c3-bae7-78365579db49", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-Obad", "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:39.996Z", "description": "[OBAD](https://attack.mitre.org/software/S0286) abuses device administrator access to make it more difficult for users to remove the application.(Citation: TrendMicro-Obad)", "relationship_type": "uses", "source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--51b0a4fb-a308-4694-9437-95702a50ebd5", "created": "2020-09-11T16:22:03.231Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:45.384Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can take photos with the device camera.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--51bd38a1-465b-49c0-9218-5984f391a51c", "created": "2023-12-18T19:03:44.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:40.452Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can register with the `BOOT_COMPLETED` broadcast to start when the device turns on.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1", "created": "2019-09-04T15:38:57.037Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:40.669Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record keystrokes and analyze them for keywords.(Citation: FlexiSpy-Features)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999", "created": "2020-11-24T17:55:12.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:40.876Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can register for the `BOOT_COMPLETED` broadcast intent.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3", "created": "2019-10-18T15:51:48.487Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:41.079Z", "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--520668a0-2523-4515-8ed9-f8059023632f", "created": "2024-02-20T23:59:59.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:41.315Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can check to see if WiFi is enabled.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--520c7112-9768-42c5-8917-1950efd182f9", "created": "2023-02-06T19:38:45.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:41.520Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use keylogging to capture user input.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--526099a3-132d-430f-9559-fc067e39b227", "created": "2025-03-24T20:28:37.281Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:41.783Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected a list of running processes.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa", "created": "2022-04-01T16:52:36.974Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:42.208Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--52765114-6cad-4c2c-8e4d-7ccc880cee7d", "created": "2025-08-29T22:04:11.515Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:04:11.515Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `WRITE_EXTERNAL_STORAGE` permission to delete files in the device\u2019s external storage.(Citation: MerkleScience_Godfather_April2023)", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--529107fd-6420-4573-8dbf-cdcd49c2708c", "created": "2020-06-26T14:55:13.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:46.562Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25", "created": "2020-09-11T15:55:43.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:46.811Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) deletes incoming SMS messages from specified numbers, including those that contain particular strings.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b", "created": "2020-12-18T20:14:47.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:47.134Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has utilized foreground services.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--53044fc0-9bab-46c7-99a3-428ab1795505", "created": "2025-08-29T22:01:51.078Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:01:51.078Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `Read_SMS` permission to access SMS messages.(Citation: MerkleScience_Godfather_April2023)", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--53364899-1ea5-47fa-afde-c210aed64120", "created": "2019-07-10T15:47:19.659Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:47.336Z", "description": "(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "target_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a", "created": "2023-10-10T15:33:59.484Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:43.252Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has impersonated several apps, including official Google apps, chat apps, VPN apps, and popular games.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5340f466-abf0-4bb9-a7e9-44694014561d", "created": "2025-03-24T20:09:44.817Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:43.461Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s call log.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--535d2425-21aa-4fe5-ae6d-5b677f459020", "created": "2022-03-28T19:41:37.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:43.673Z", "description": "Security updates may contain patches for devices that were compromised at the supply chain level.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--536c84cc-6700-4eef-916f-2ddcc0518770", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ab6215b7-19e0-4644-b340-40b6dcc90a48", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--53aa0360-fbe6-4007-887c-a9e5ddadea74", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--5560747b-ad67-478e-b3f2-14e55864e532", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--53c19d17-7109-4394-9c38-7a7514cddd0a", "created": "2025-10-08T14:40:59.584Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:40:59.584Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected location data.(Citation: Lookout_DCHSpy_July2025) ", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--54151897-cc7e-4f92-af50-bed41ea78d92", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:44.095Z", "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", "relationship_type": "uses", "source_ref": "malware--28e39395-91e7-4f02-b694-5e079c964da9", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5417959b-9478-49fb-b779-3c82a10ad080", "created": "2020-12-17T20:15:22.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:48.016Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running apps.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47", "created": "2022-04-01T17:08:41.293Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:44.526Z", "description": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device\u2019s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2", "created": "2019-09-04T14:28:15.482Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:44.748Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can reset the user's password/PIN.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81", "created": "2022-04-05T20:03:46.789Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:44.949Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--54bfecbc-4d1d-4bca-bb9c-652d09b29515", "created": "2023-06-09T19:10:48.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:45.146Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect the device ID, model, manufacturer, and Android version. It can also check available storage space and if the screen is locked.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec", "created": "2022-04-01T15:54:48.924Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:45.369Z", "description": "Applications very rarely require administrator permission. Developers should be cautioned against using this higher degree of access to avoid being flagged as a potentially malicious application. ", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--54da16fe-c3af-4283-8e73-434beca633d4", "created": "2025-03-28T15:05:00.278Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:45.574Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors use the heartbeat beacons from the implant to obtain device information, such as the IMEI, MEID, and the serial number.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--54dac52d-5279-407f-b7b4-5484ae90b98c", "created": "2021-02-17T20:43:52.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:48.806Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has downloaded and installed additional applications.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--554ec347-c8b2-43da-876b-36608dcc543d", "created": "2017-10-25T14:48:53.746Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TelephonyManager", "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:46.010Z", "description": "Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.(Citation: TelephonyManager) ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089", "created": "2022-03-28T19:41:27.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:46.225Z", "description": "Application developers should be cautious when selecting third-party libraries to integrate into their application.", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--558ec1f4-a4ba-461f-b8aa-403f07ea3431", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--611b9135-583e-47f8-b617-e9d52ae2d2c5", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15", "created": "2020-04-24T15:06:33.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:49.175Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect voice notes, device accounts, and gallery images.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4", "created": "2021-01-05T20:16:20.507Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:46.649Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can execute commands .(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--55f1c604-f3e1-4eef-8313-d136425be83d", "created": "2025-01-10T16:25:28.944Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:46.852Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) has obfuscated code and anti-virtualization techniques to hinder analysis.(Citation: SentinelLabs AridViper 2023)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5603f2f4-cb1a-4cf2-ac59-bb29e07e20cf", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--59e56dc2-725e-4f55-ab2c-154dbe42bc4d", "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--5619e263-d48c-47a5-ab68-8677fe080a15", "created": "2022-03-30T14:42:27.821Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:47.054Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--56551987-326a-46ad-a34a-59bb7ab793a9", "created": "2020-12-14T14:52:03.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:47.259Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can request device administrator permissions.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--56816b86-3c80-429b-8360-7b4e77538c97", "created": "2025-03-24T18:00:24.386Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:47.670Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected payment history from WeChat Pay.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba", "created": "2023-12-18T19:08:12.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:47.869Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can track the device\u2019s location.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--56a255a5-9fa2-45bb-8848-fd0a68514467", "created": "2022-04-11T20:06:56.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:48.065Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282", "created": "2023-07-21T19:36:35.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:48.265Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card information, and Wi-Fi information.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5706742b-733d-44e9-a032-62b81ba05bcf", "created": "2020-06-02T14:32:31.897Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:48.465Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve SMS messages and iMessages.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--57293fc9-8838-4acd-a16f-48f516d0921e", "created": "2020-04-08T15:51:25.122Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:48.694Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) hides its icon after installation.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5738479d-47fb-4d6f-9f04-5ce988327694", "created": "2023-12-18T19:07:31.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:48.913Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can collect the device\u2019s call log.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5749763a-0aef-460a-b081-849adba8d58f", "created": "2023-12-18T18:18:44.171Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:49.117Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has injected string contents into the device clipboard.(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--57881f4b-8463-430c-912a-0e3c961e7784", "created": "2023-07-21T19:52:30.528Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:49.536Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can copy and exfiltrate a device\u2019s contact list.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--57a069a0-399f-43ab-9efc-50432a41b26b", "created": "2020-12-24T21:55:56.743Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:49.761Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has deleted or renamed specific files.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791", "created": "2022-03-30T19:33:17.520Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:50.219Z", "description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78", "created": "2023-02-28T20:37:59.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:50.409Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can obfuscated class, string, and method names in newer malware versions.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--57f7fa9e-26c4-4cbf-a932-71d45e24da43", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7a921c8c-fdc6-4526-aba6-2632360b7f0f", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--583720d0-8b15-4662-822e-bb40bc1df940", "created": "2023-12-18T18:09:02.735Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:50.614Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can retrieve Android system and hardware information.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5862d1a0-009f-4153-9263-387f6e723cc3", "created": "2026-03-09T14:59:11.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T14:59:11.768Z", "description": "(Citation: ESET_VajraSpy_Feb2024) ", "relationship_type": "uses", "source_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--58652c88-178b-4b96-bad6-c542c7948929", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--cb6a0874-0cb3-4d44-a77e-e93d4a26d50b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72", "created": "2020-11-24T17:55:12.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:51.462Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the device\u2019s IMEI, phone number, and country.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56", "created": "2020-06-26T15:32:25.045Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:51.030Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect SMS messages from a device.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--58c857f8-4f40-48e0-b3ac-41944d82b576", "created": "2020-12-24T22:04:27.991Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:51.268Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of contacts.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2", "created": "2023-12-18T19:06:59.289Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:51.666Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can use an encryption key received from its C2 to encrypt and decrypt configuration files and exfiltrated data.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5976af4f-2fd4-46a0-baab-a4ae69e98bc1", "created": "2025-04-15T18:05:36.895Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:51.863Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has exfiltrated collected data to the C2.(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5977289e-d38f-4974-912b-2151fc00c850", "created": "2020-11-20T16:37:28.524Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:52.141Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device\u2019s phone number and IMSI.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--598005fe-a176-421e-8086-e9593fcfa40d", "created": "2026-03-09T15:26:56.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:46:42.326Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has exfiltrated the device\u2019s location.(Citation: ESET_VajraSpy_Feb2024) [VajraSpy](https://attack.mitre.org/software/S9006) has also requested for `android.permission.ACCESS_FINE_LOCATION` and `android.permission.ACCESS_COARSE_LOCATION` to obtain the device\u2019s location.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9", "created": "2022-04-05T19:52:32.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:52.319Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--59bd2521-3df2-49f1-afb7-ee78995740dc", "created": "2025-09-18T14:42:55.159Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:42:55.159Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has used a fake application to request permissions and to download itself.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--59ccdf54-af53-45f2-9ada-549bbc9fb53f", "created": "2025-03-28T14:57:39.909Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:52.727Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors deleted the initial exploitation message and exploit attachment.(Citation: SecureList OpTriangulation 01Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--59d463d3-3a41-4269-be9a-7a69f44eca78", "created": "2020-10-29T19:21:23.215Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:52.929Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has communicated with the C2 server using HTTP.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef", "created": "2022-04-05T20:14:17.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:53.152Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d", "created": "2019-07-10T15:35:43.658Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:53.358Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) gathers and exfiltrates data about nearby Wi-Fi access points.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1", "created": "2020-10-29T17:48:27.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:53.561Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5a277966-4559-487e-bdfb-7be6366ccdb6", "created": "2019-09-03T19:45:48.508Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:53.773Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take pictures with the device cameras.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3", "created": "2020-06-26T14:55:13.351Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:53.189Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can collect a list of installed applications.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae", "created": "2020-12-24T22:04:27.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:54.213Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has used HTTP POST requests for C2.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb", "created": "2025-01-10T16:17:20.835Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:54.420Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can access the device's location.(Citation: SentinelLabs AridViper 2023)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Tripwire-MazarBOT", "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:54.849Z", "description": "[MazarBOT](https://attack.mitre.org/software/S0303) can send messages to premium-rate numbers.(Citation: Tripwire-MazarBOT)", "relationship_type": "uses", "source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:55.051Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uses commands received from text messages for C2.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5a836ae1-c2a0-49b8-a0b4-851b7f3939fb", "created": "2025-03-24T14:53:31.951Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:55.263Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214)\u2019s payload has obtained the C2 address via Twitter accounts.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0", "created": "2019-09-15T15:32:17.563Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:54.021Z", "description": "Application developers could be encouraged to avoid placing sensitive data in notification text.", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5aa167b8-4166-440b-b49f-bf1bab597237", "created": "2019-11-21T16:42:48.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:55.666Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect the device\u2019s call log.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5b235ed4-548d-49f2-ae01-1874666e6747", "created": "2022-03-30T19:51:56.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:56.071Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02", "created": "2020-12-17T20:15:22.452Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:54.593Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27", "created": "2024-03-26T19:38:28.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/" }, { "source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:56.523Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can download more malware to the victim device.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: SentinelLabs AridViper 2023)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5b5586b9-75ee-476f-b3eb-49878254302c", "created": "2019-07-16T14:33:12.117Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:54.932Z", "description": "[Triada](https://attack.mitre.org/software/S0424) is able to modify code within the com.android.systemui application to gain access to `GET_REAL_TASKS` permissions. This permission enables access to information about applications currently on the foreground and other recently used apps.(Citation: Google Triada June 2019) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5b670281-0054-42b4-8e54-ea01a692f5bf", "created": "2021-10-01T14:42:48.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:55.137Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can open a hidden menu when a specific phone number is called from the infected device.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5b7c73d3-a983-456e-82fe-1c823a282eb0", "created": "2024-03-26T19:06:59.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" }, { "source_name": "sentinelone_israel_hamas_war", "description": "Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:57.156Z", "description": "(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f", "created": "2020-04-08T15:41:19.427Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:57.384Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can send, receive, and delete SMS messages.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c", "created": "2021-02-17T20:43:52.324Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:55.647Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a", "created": "2020-07-27T14:14:56.996Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:58.260Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can inject code into the Setup Wizard at runtime to extract CAPTCHA images. [Zen](https://attack.mitre.org/software/S0494) can inject code into the `libc` of running processes to infect them with the malware.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0", "created": "2020-12-24T22:04:27.997Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:56.067Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has tracked location.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5ceb24c4-f32d-4eca-ad91-aed9ef8d459b", "created": "2025-04-10T19:58:19.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:58.676Z", "description": "(Citation: MelikovBlackBerry LightSpy 2024)", "relationship_type": "uses", "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "target_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5ced57a7-b674-40d4-98b8-a090963a6ade", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:56.387Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5d00e3bf-dca3-4bd5-b54d-00d361cf3621", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3ec475a9-b33f-42b3-a1b1-755b5fa9389b", "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da", "created": "2021-09-24T14:52:41.308Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:56.703Z", "description": " [Monokle](https://attack.mitre.org/software/S0407) can hook itself to appear invisible to the Process Manager.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5d37400f-80f9-4500-9357-185650e5a7b2", "created": "2023-02-06T18:54:13.573Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:59.525Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can use HTTP to communicate with the C2 server.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c", "created": "2023-01-18T21:38:58.113Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:59.762Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use input injection via Accessibility Services to simulate user touch inputs, prevent applications from opening, change device settings, and bypass MFA protections.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d", "created": "2023-02-06T18:52:40.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:48:59.979Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can intercept SMS messages containing two factor authentication codes.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2", "created": "2022-03-30T19:12:31.481Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:00.213Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5e360913-4986-4423-8d3c-46d3202b7787", "created": "2019-09-04T14:28:15.471Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:57.320Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the salt used when storing the user\u2019s password, aiding an adversary in computing the user\u2019s plaintext password/PIN from the stored password hash. [Monokle](https://attack.mitre.org/software/S0407) can also capture the user\u2019s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e", "created": "2024-03-29T15:05:17.290Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:00.609Z", "description": "Users should be advised to not trust or install self-signed certificates.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d", "created": "2019-09-23T13:36:08.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:00.826Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) procedurally generates subdomains for command and control communication.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5e95ca90-bf75-4031-a28f-f8565c02185c", "created": "2020-11-24T17:55:12.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:01.026Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can lock the user out of the device by showing a persistent overlay.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5f8d6d22-b2a9-430b-bece-d6846c89b49b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--4809a26b-8527-49dc-81aa-ac2750fd3b75", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--5fadf570-afe5-44eb-9034-45905a28b8d8", "created": "2025-05-19T18:26:28.765Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MSTI_StarBlizzard_Jan2025", "description": "Microsoft Threat Intelligence. (2025, January 16). New Star Blizzard spear-phishing campaign targets WhatsApp accounts. Retrieved May 2, 2025.", "url": "https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-05-19T18:28:36.712Z", "description": "[Star Blizzard](https://attack.mitre.org/groups/G1033) has used the linked devices feature to connect WhatsApp accounts to adversary-controlled infrastructure and/or the WhatsApp Web portal for message exfiltration.(Citation: MSTI_StarBlizzard_Jan2025)", "relationship_type": "uses", "source_ref": "intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410", "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5", "created": "2023-12-18T18:12:37.010Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" }, { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:01.459Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has employed code obfuscation and encryption of configuration files.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--60439118-3ceb-490b-9df5-e35e7fca9009", "created": "2024-03-28T18:26:14.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:02.072Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to receive the following broadcast events to establish persistence: `BOOT_COMPLETED`, `BATTERY_LOW`,`USER_PRESENT`, `SCREEN_ON`, `SCREEN_OFF`, or `CONNECTIVITY_CHANGE`.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--605d95a1-0493-418e-9d81-de58531c4421", "created": "2020-04-24T15:12:11.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:02.283Z", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--606b07b9-b5a4-464f-8381-062e2134d0ab", "created": "2023-12-18T18:14:22.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" }, { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:02.491Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can remove installed antivirus applications as well as disable Google Play Protect.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--60782df8-1e96-48eb-a6b7-843c94b32b59", "created": "2023-02-06T19:43:17.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:02.710Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can hide its application icon.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:02.920Z", "description": "[BrainTest](https://attack.mitre.org/software/S0293) provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--60954386-50d8-413b-b673-c305f99be0e3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--98f14414-883e-4da3-930a-19a8faa1be41", "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--60ad088f-3133-4b0c-a441-e1e06fff1765", "created": "2023-02-06T19:37:56.416Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:03.367Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather data about the device.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--60da837d-a635-4533-b96a-db2689cc4771", "created": "2024-04-02T19:39:49.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:03.578Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can send SMS messages.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb", "created": "2020-01-27T17:05:58.308Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:58.930Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) encodes its configurations using a customized algorithm.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113", "created": "2020-06-26T15:32:25.032Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:04.024Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can generate fake notifications and launch overlay attacks against attacker-specified applications.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--60eb0917-7f98-46c5-a677-3234a21dc00a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--aeb736c8-1c17-4fac-888e-122581ad6e0c", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3", "created": "2019-07-10T15:35:43.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:04.258Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) has the ability to delete attacker-specified files from compromised devices.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71", "created": "2019-07-10T15:42:09.606Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:04.468Z", "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) controls implants using standard HTTP communication.(Citation: Lookout Dark Caracal Jan 2018) ", "relationship_type": "uses", "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6132b084-b68b-41ea-9fc2-8e134df48602", "created": "2026-02-16T16:01:56.318Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:01:56.318Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to start and stop camera recording.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--61550ef4-41f0-4354-af5c-f47db8aca654", "created": "2020-06-02T14:32:31.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:59.554Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c", "created": "2020-01-21T15:29:27.041Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:28:59.731Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can download attacker-specified files.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--618ec7db-fb08-4693-905b-49e9e2a0ad95", "created": "2025-03-28T15:06:20.821Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:05.096Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of processes.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--61e27ee2-ef0a-43b9-8e58-e8703654bc25", "created": "2025-08-29T22:03:08.447Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:03:08.447Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `RECORD_AUDIO` permission to record audio with the microphone.(Citation: MerkleScience_Godfather_April2023) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544", "created": "2022-04-05T19:40:25.071Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:05.321Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc", "created": "2023-02-06T19:41:40.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:05.526Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can silently intercept and manipulate notifications. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also inject cookies via push notifications.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d", "created": "2022-03-30T20:13:40.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:05.962Z", "description": "Users should be shown what a synthetic activity looks like so they can scrutinize them in the future.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f", "created": "2020-12-14T15:02:35.287Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:00.493Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has implemented functions in native code.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6", "created": "2022-03-30T13:48:43.977Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:06.375Z", "description": "Mobile security products can typically detect jailbroken or rooted devices. ", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6315b6ec-35f8-4b28-8603-664664311a33", "created": "2023-08-16T16:44:53.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-07-07T22:01:01.200Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has read the name of application packages.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--634071ce-d386-4143-8e6e-b88bc077de6d", "created": "2020-07-27T14:14:56.961Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:00.886Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can dynamically load executable code from remote sources.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:01.146Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--63e67cba-4eae-4495-8897-2610103a0c41", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:01.332Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) exploits iOS vulnerabilities to escalate privileges.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--642a2599-a50c-480c-8e07-2a3a217f4a46", "created": "2023-07-21T19:52:13.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:07.434Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can turn on a device\u2019s microphone to capture audio.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--642ae344-57b0-4fb4-aa40-43112b484bbc", "created": "2025-08-29T22:02:12.326Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:02:12.326Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has accessed the device\u2019s contact list.(Citation: MerkleScience_Godfather_April2023)", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda", "created": "2023-02-06T19:02:00.135Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:07.852Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself microphone permissions.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--64a55364-3ad1-40e8-92a2-58a7a71a18c9", "created": "2025-06-25T15:37:54.563Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-25T15:37:54.563Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has accessed media files stored in external storage and has used optical character recognition (OCR) to recognize potential mnemonic phrases in pictures.(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65", "created": "2021-04-19T17:05:42.574Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:01.810Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has collected files from the infected device.(Citation: Lookout Uyghur Campaign)\t", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff", "created": "2019-09-04T14:28:16.478Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:02.068Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. [Monokle](https://attack.mitre.org/software/S0407) can also abuse accessibility features to read the screen to capture data from a large number of popular applications.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e", "created": "2020-07-15T20:20:59.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:02.358Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) has communicated with the C2 server over TCP port 7777.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4", "created": "2020-04-08T15:51:25.157Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:02.599Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can capture device screenshots and stream them back to the C2.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6588186c-2fa1-408d-bef4-2d63ccf49c28", "created": "2023-10-10T15:33:58.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:08.913Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has masqueraded as popular South Korean applications.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6588914f-d270-47d3-b889-046564ad616f", "created": "2023-08-16T16:35:21.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-07-07T22:01:17.043Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered SMS messages.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61", "created": "2020-01-27T17:05:58.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:03.038Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. [GolfSpy](https://attack.mitre.org/software/S0421) can list image, audio, video, and other files stored on the device. [GolfSpy](https://attack.mitre.org/software/S0421) can copy arbitrary files from the device.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--65acbbe2-48e1-4fba-a781-39fb040a711d", "created": "2019-09-03T19:45:48.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:09.582Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) One, after checking in, sends a POST request and then downloads [Exodus](https://attack.mitre.org/software/S0405) Two, the second stage binaries.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a", "created": "2023-08-16T16:34:14.088Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" }, { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:22:17.600Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has performed overlay attacks against a device by injecting HTML phishing pages into a webview.(Citation: cyble_chameleon_0423) [Chameleon](https://attack.mitre.org/software/S1083) has launched overlay attacks through the \u201cInjection\u201d activity.(Citation: ThreatFabric_Chameleon_Dec2023) ", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--6603a556-9732-4f8b-ac9c-5c3949b251ed", "created": "2023-09-21T22:20:53.256Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "app_hibernation", "description": "Android Developers. (2023, August 28). App hibernation. Retrieved September 21, 2023.", "url": "https://developer.android.com/topic/performance/app-hibernation" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:10.017Z", "description": "Android 11 and above implement application hibernation, which can hibernate an application that has not been used for a few months and can reset the application\u2019s permission requests.(Citation: app_hibernation)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6609b892-d388-4b8a-ac21-5cbf12e0d574", "created": "2023-10-10T15:33:58.701Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Forbes Cerberus", "description": "Z. Doffman. (2019, August 16). Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated). Retrieved June 26, 2020.", "url": "https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/#1563fef26d9c" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:10.271Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) has pretended to be an Adobe Flash Player installer.(Citation: Forbes Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--66132260-65d1-4bf5-8200-abdb2014be6f", "created": "2020-09-15T15:18:12.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:10.474Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can detect if it is running in an emulator and adjust its behavior accordingly.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519", "created": "2022-04-05T17:03:53.457Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:10.690Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--66ba3094-7c14-41b9-b7c1-814d026156b9", "created": "2020-09-11T15:58:40.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:03.919Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete and send SMS messages.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--66be8672-6075-4309-b287-c9b81249f610", "created": "2025-08-29T22:11:23.343Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" }, { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:11:23.343Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has exfiltrated sensitive information over C2.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42", "created": "2020-11-10T17:08:35.593Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:04.105Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has seen native libraries used in some reported samples (Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6701f90c-6fce-4f7b-a785-a585601d366a", "created": "2025-03-24T14:58:02.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:11.542Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has exfiltrated SMS and MMS messages.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--670a0995-a789-4674-9e91-c74316cdef90", "created": "2020-09-11T14:54:16.621Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:04.554Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record audio from phone calls and the device microphone.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--67aa692c-24e4-483e-996e-02ce1e861ec8", "created": "2023-02-28T20:37:29.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:11.965Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can add display overlays onto banking apps to capture credit card information.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2", "created": "2019-09-03T20:08:00.704Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:12.172Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) code is both obfuscated and packed with an FTT packer.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f", "created": "2021-01-20T16:01:19.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Anubis", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:12.371Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) has used motion sensor data to attempt to determine if it is running in an emulator.(Citation: Trend Micro Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:12.773Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f", "target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--68267f97-b22e-4cd5-a417-0771a1741a32", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--8d518627-1df4-4bf8-b1fb-0828fb9f6d31", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--6846dc09-b66a-42d3-aea2-c80b51f22952", "created": "2023-02-28T21:42:31.008Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:12.992Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record audio using the device microphone.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--684c17bb-2075-4e1f-9fcb-17408511222d", "created": "2021-09-20T13:54:19.957Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:05.428Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can silently accept an incoming phone call.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44", "created": "2024-04-02T19:14:16.279Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:13.424Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can access and retrieve files on a device.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--686a6bc8-d660-40ad-97bc-9c900195cd5b", "created": "2025-03-28T15:09:23.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:13.621Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of files in a specified directory using the `fts` API.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6885280e-5423-422a-94f1-e91d557e043e", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-XcodeGhost1", "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/" }, { "source_name": "PaloAlto-XcodeGhost", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:13.816Z", "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) was injected into apps by a modified version of Xcode (Apple's software development tool).(Citation: PaloAlto-XcodeGhost1)(Citation: PaloAlto-XcodeGhost)", "relationship_type": "uses", "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--68c17e9b-1fda-49dd-982b-566d473cc32b", "created": "2022-04-06T15:51:11.939Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:14.017Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--68e5789c-9f60-421e-9c79-fae207a29e83", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:14.225Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole SMS message content.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3", "created": "2020-07-20T13:27:33.486Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:14.432Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device\u2019s contact list.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50", "created": "2021-09-20T13:50:02.036Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:14.667Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can make phone calls.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8", "created": "2025-03-28T15:08:25.021Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" }, { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:14.876Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have dumped the device\u2019s keychain.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--694857ba-92e8-462e-8900-a9f6fdcf495d", "created": "2020-12-31T18:25:05.133Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:06.509Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has encrypted its DEX payload.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c", "created": "2019-08-09T18:02:06.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:15.306Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) can capture video using device cameras.(Citation: Zscaler-SuperMarioRun)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:15.508Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) modifies the system partition to maintain persistence.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--697f5584-667f-4489-a535-586dd1a8b48c", "created": "2023-10-10T15:33:59.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:15.722Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has inserted trojan functionality into legitimate apps, including popular apps within the Uyghur community, VPNs, instant messaging apps, social networking, games, adult media, and Google searching.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--698d6406-b2a9-4038-b3c7-37c0fff8999e", "created": "2026-02-16T15:48:04.051Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-19T23:07:16.754Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has checked if the victim has accessed the malicious URL from a PC. If so, [DocSwap](https://attack.mitre.org/software/S9005) redirected the victim to scan the malicious QR code using a mobile device.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:15.925Z", "description": "[Charger](https://attack.mitre.org/software/S0323) locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--69de3f7e-faa7-4342-b755-4777a68fd89b", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:16.144Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) is capable of recording device phone calls.(Citation: Zscaler-SuperMarioRun)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6a1d8b2f-9007-46ba-b559-356b81632cee", "created": "2023-10-10T15:33:58.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:16.362Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has masqueraded as TikTok.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b", "created": "2020-09-14T14:13:45.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:07.263Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate device pictures.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2", "created": "2022-04-01T15:13:55.124Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:16.772Z", "description": "Users should be instructed to not open links in applications they don\u2019t recognize.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6a715733-cde6-4903-b967-35562b584c6f", "created": "2020-06-02T14:32:31.878Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:07.756Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can obtain a list of installed non-Apple applications.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6a813057-5fe0-46b5-89a3-c804d223568c", "created": "2023-08-04T18:30:16.933Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:17.437Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate the victim device ID, model, manufacturer, and Android version.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6a821e14-8247-408b-af37-9cecbba616ec", "created": "2020-05-07T15:33:32.945Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:08.072Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) obtains the device\u2019s application list.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6a87a107-e607-460b-a08c-cc693b15268c", "created": "2024-03-26T19:31:52.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" }, { "source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:17.864Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can exfiltrate the victim device\u2019s contact list.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6a924f93-6a3a-4931-b0b3-b8bc37f0587a", "created": "2024-03-26T18:49:57.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:18.072Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can masquerade as the chat application \"Magic Smile.\"(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6aa306e2-36f3-4cce-aba1-c9a4624e8a59", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7a9d4531-4ff8-4228-8abd-29da8bd2942f", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e", "created": "2023-09-21T22:18:06.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:18.278Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) initially poses as a benign application, then malware is downloaded and executed after an application update.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6ad4f199-99fe-4366-87be-7a462f6c89b0", "created": "2023-06-09T19:11:38.612Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:18.482Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can access a device\u2019s location and check if GPS is enabled. [Hornbill](https://attack.mitre.org/software/S1077) has logic to only log location changes greater than 70 meters.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6b41d649-bcd0-4427-baa1-15a145bace6e", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:08.630Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) downloads and executes root exploits from a remote server.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61", "created": "2024-03-26T18:43:59.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:18.928Z", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9", "created": "2021-01-05T20:16:20.500Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:19.127Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect SMS messages from the device.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab", "created": "2023-01-18T19:16:15.534Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:19.364Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use keylogging to steal user banking credentials.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6b7783d9-415c-4134-b984-b7dac929c59d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7f914be4-061a-43a7-8d36-a758b123ca3b", "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696", "created": "2022-03-28T19:38:23.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:19.571Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6bac4ccd-d810-40f4-937e-3ac4bfa959ec", "created": "2025-03-14T17:57:19.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:19.805Z", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) uses a virtualization solution to steal credentials.(Citation: Promon FjordPhantom Oct2024)", "relationship_type": "uses", "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a", "created": "2023-03-03T15:42:28.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:20.011Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can send large amounts of device data over its C2 channel, including the device\u2019s manufacturer, model, version and serial number, telephone number, and IP address.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2", "created": "2025-03-27T22:49:03.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:20.220Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has obtained a list of installed applications.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6c0105f3-e919-499d-b080-d127394d2837", "created": "2022-03-30T18:14:23.210Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:20.419Z", "description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6c35f99c-153d-4023-a29a-821488ce5418", "created": "2020-04-08T15:41:19.383Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:20.617Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of installed applications to compare to a list of targeted applications.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82", "created": "2020-09-11T16:22:03.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:09.676Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect system information, including brand, manufacturer, and serial number.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e", "created": "2021-02-08T16:36:20.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:10.014Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6cace9e3-f095-4914-bddc-24cec8bcc859", "created": "2020-09-24T15:34:51.276Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:10.249Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can collect the device\u2019s photos, browser history, bookmarks, and accounts stored on the device.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6ce36374-2ff6-4b41-8493-148416153232", "created": "2020-07-20T13:27:33.443Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:10.445Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect user account, photos, browser history, and arbitrary files.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6d0c1fb2-095f-4cd7-9594-0299823e3b0e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7c507410-2dc7-4159-88ec-b2228547ae67", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--6d2c7743-fc75-4524-b217-13867ca1dd10", "created": "2019-09-03T20:08:00.649Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:21.878Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) can collect the contact list.(Citation: Talos Gustuff Apr 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6d38782e-2c88-411b-8328-72347d4c6024", "created": "2025-03-14T18:01:12.030Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:22.088Z", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has injected malicious code and a hooking framework through a virtualization solution, i.e. [Virtualization Solution](https://attack.mitre.org/techniques/T1670), into the process of the hosted application.(Citation: Promon FjordPhantom Oct2024) ", "relationship_type": "uses", "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6d659130-545b-4917-891c-6c1b7d54ed07", "created": "2021-01-05T20:16:20.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:10.838Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can send SMS messages.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6d88242f-e45b-481c-bd41-b66a662618ce", "created": "2022-04-06T13:57:24.730Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:22.521Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6d8ffc4a-6496-423e-a44d-d5a973ee1acf", "created": "2024-03-26T19:32:59.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cyware APT-C-23 2020", "description": "Cyware. (2020, October 2). APT\u2011C\u201123 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024.", "url": "https://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4" }, { "source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/" }, { "source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" }, { "source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:22.718Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can record phone calls and audio.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6dada572-9e79-4835-9f8c-fcb6a94947af", "created": "2025-03-28T14:55:59.605Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" }, { "source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/" }, { "source_name": "SecureList OpTriangulation Dec2023", "description": "Larin, B. (2023, December 27). Operation Triangulation: The last (hardware) mystery. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:23.125Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors sent iMessage messages with malicious exploits that executed without user interaction.(Citation: SecureList OpTriangulation 01Jun2023)(Citation: SecureList OpTriangulation 23Oct2023)(Citation: SecureList OpTriangulation Dec2023) Additionally, the threat actors have used various exploits, such as CVE-2023-41990, CVE-2023-32435, CVE-2023-32434 and CVE-2023-38606, to obtain privilege escalation.(Citation: SecureList OpTriangulation Dec2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05", "created": "2023-12-18T18:18:56.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:23.364Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has performed country and language checks.(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23", "created": "2020-09-11T14:54:16.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:11.458Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect device metadata and can check if the device is rooted.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6e642c09-751c-43d8-9b99-aabb1703cad7", "created": "2025-03-24T17:57:15.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "FirshSecureList LightSpy 2020", "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.", "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/" }, { "source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:23.803Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) gains initial execution when a victim visits a compromised or adversary-controlled website, including those mimicking legitimate sources such as a Hong Kong newspaper. Upon loading `index.html`, a Safari WebKit exploit is triggered, leading to the download of a Mach-O binary disguised with a `.png` extension.(Citation: FirshSecureList LightSpy 2020)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6e811d89-6526-480f-be40-1ad6483182ff", "created": "2023-10-10T15:33:58.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:24.013Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has used the Play Store icon as well as the name \u201cGoogle Play Marketplace\u201d.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3", "created": "2023-08-04T18:29:05.423Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:24.455Z", "description": "(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f", "target_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60", "created": "2020-09-11T14:54:16.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:12.083Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect attacker-specified files, including files located on external storage.(Citation: Lookout Desert Scorpion)\t", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87", "created": "2020-06-26T15:12:40.098Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:12.301Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can retrieve a list of installed applications.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d", "created": "2019-07-10T15:25:57.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:25.092Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6f8ae8db-9657-45d9-bad8-5aef68644e76", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--5aa9f16e-253d-4ca6-b5e2-8311e5a76290", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--6f96e9f0-1054-40f5-a8f9-3f926624752d", "created": "2025-08-29T22:01:00.191Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:01:00.191Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has abused the accessibility service to prevent the user from uninstalling itself.(Citation: MerkleScience_Godfather_April2023)", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c", "created": "2020-11-10T17:08:35.624Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:12.625Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can dynamically load additional functionality.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998", "created": "2020-04-08T15:41:19.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:25.519Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can create overlays to capture user credentials for targeted applications.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49", "created": "2024-04-02T19:13:36.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:25.720Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can activate a device\u2019s microphone.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7017085c-c612-48b2-b655-e18d7822d0e7", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:25.930Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests phone call history from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--70215e99-74e2-4a6a-999a-76507c20a82d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0677c510-fa4d-4a39-a14b-b91f9cde1e23", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:26.141Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) maintains persistence by installing an Android application package (APK) on the system partition.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:13.312Z", "description": "Original samples of [BrainTest](https://attack.mitre.org/software/S0293) download their exploit packs for rooting from a remote server after installation.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e", "created": "2020-01-14T17:47:08.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:13.482Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) checks the Android version to determine which system library to patch.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:13.703Z", "description": "[Xbot](https://attack.mitre.org/software/S0298) can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.(Citation: PaloAlto-Xbot)", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--70fa8498-6117-4e15-ae3c-f53d63996826", "created": "2020-06-26T15:32:25.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:13.876Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect the device\u2019s location.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--711d0a57-1e3f-4598-80a4-952b6ad9ada4", "created": "2026-02-06T21:27:07.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:27:07.465Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has displayed a black screen overlay and has muted the sound of the device to conceal all malicious actions.(Citation: ThreatFabric_Crocodilus_March2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--71490fdb-e271-4a67-b932-5288924b1dae", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-DualToy", "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:14.055Z", "description": "[DualToy](https://attack.mitre.org/software/S0315) collects the connected iOS device\u2019s information including IMEI, IMSI, ICCID, serial number and phone number.(Citation: PaloAlto-DualToy)", "relationship_type": "uses", "source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--716f68ee-1e77-4254-8f67-d8f3c71db678", "created": "2021-09-20T13:59:00.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:14.279Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via phone call from a set of \"control phones.\"(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--717feaf1-493b-4a3e-b886-40652f41168d", "created": "2024-03-28T18:31:04.700Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:27.621Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to obtain a list of installed applications.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--718a612e-50c5-40ab-9081-b88cefeafcb6", "created": "2021-04-26T15:33:55.905Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CitizenLab Circles", "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020.", "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:27.836Z", "description": "[Circles](https://attack.mitre.org/software/S0602) can track the location of mobile devices.(Citation: CitizenLab Circles)", "relationship_type": "uses", "source_ref": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a", "created": "2024-02-20T23:53:09.490Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:28.073Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect IP address and network configuration information.(Citation: Trend Micro FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Tripwire-MazarBOT", "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:28.317Z", "description": "[MazarBOT](https://attack.mitre.org/software/S0303) can intercept two-factor authentication codes sent by online banking apps.(Citation: Tripwire-MazarBOT)", "relationship_type": "uses", "source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--724e1b64-7c9b-4a8f-a2ab-3f9cab539e68", "created": "2023-10-10T19:19:38.654Z", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:28.530Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) has exfiltrated cached data from infected devices.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7258542e-029b-45b9-be69-6e76d9c93b35", "created": "2020-09-14T13:35:45.886Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:28.749Z", "description": "[Twitoor](https://attack.mitre.org/software/S0302) can hide its presence on the system.(Citation: ESET-Twitoor)", "relationship_type": "uses", "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8", "created": "2024-03-26T16:18:25.630Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:28.952Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) can take photos and videos using the device cameras.(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0", "created": "2017-10-25T14:48:53.741Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:29.149Z", "description": "Security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af", "created": "2020-04-24T15:06:33.531Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:15.206Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can take pictures using the camera and can record MP4 files.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--72a88d43-4144-444e-8f71-ac0d19ae3710", "created": "2020-09-14T14:13:45.256Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:15.386Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can track the device\u2019s location.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--72bb936a-a255-4823-9675-b39c7e19873c", "created": "2025-08-29T21:58:46.849Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T21:58:46.849Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has used the Xposed hooking framework to intercept HTTP requests and responses, capturing and exfiltrating sensitive information, such as credentials.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--732ca9b5-961d-4734-9f8d-339078457457", "created": "2024-04-02T19:15:19.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:29.779Z", "description": "(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258", "target_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--73410b22-5aca-4b86-8efc-98c1ad75399a", "created": "2023-10-10T15:33:59.572Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:29.977Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) has masqueraded as \u201cGoogle service\u201d, \u201cGooglePlay\u201d, and \u201cFlash update\u201d.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9", "created": "2020-09-11T15:52:12.520Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:15.772Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can block, forward, hide, and send SMS messages.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:30.621Z", "description": "Enterprises can provision policies to mobile devices that require a minimum complexity (length, character requirements, etc.) for the device passcode, and cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. Enterprises can also provision policies to disable biometric authentication, however, biometric authentication can help make using a longer, more complex passcode more practical because it does not need to be entered as frequently. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee", "created": "2024-02-20T23:56:14.156Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:30.830Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8", "created": "2020-04-24T17:46:31.613Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:16.317Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--746eaf98-bd95-4e9a-a4ed-0e3f20402276", "created": "2023-10-10T15:33:57.989Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:31.448Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can be bound to legitimate applications prior to installation on devices.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69", "created": "2020-04-08T15:51:25.078Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:32.070Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330", "created": "2022-04-01T15:01:53.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:32.280Z", "description": "Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary\u2019s access to password stores.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe", "created": "2020-07-15T20:20:59.282Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:17.039Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can record the screen.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78", "created": "2019-10-10T15:17:00.972Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:17.306Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can monitor device photos and can also access browser history and bookmarks.(Citation: FlexiSpy-Features)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--75770898-93a7-45e3-bdb2-03172004a88f", "created": "2022-03-30T14:49:47.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:33.116Z", "description": "Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--75989cf6-c023-4ed3-9d23-a83f55690186", "created": "2023-02-28T21:43:36.886Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:33.328Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can read incoming text messages.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b", "created": "2020-12-14T15:02:35.286Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:17.734Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device network configuration information, such as mobile network operator.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--75a8614f-bf92-455d-b2ef-7085aff9a64d", "created": "2023-08-16T16:33:56.014Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" }, { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:23:56.915Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has logged keystrokes of an infected device.(Citation: cyble_chameleon_0423) Additionally, [Chameleon](https://attack.mitre.org/software/S1083) has stolen PINs, passwords and graphical keys through keylogging functionalities.(Citation: ThreatFabric_Chameleon_Dec2023) ", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--75ed2348-279f-4485-97a3-9a5ada27d799", "created": "2023-02-06T19:06:17.406Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:33.925Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can disable Play Protect.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--760037f0-f027-41bb-adf8-1ced6c7085be", "created": "2023-10-10T15:33:59.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:34.121Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has mimicked Facebook and Google icons on the \u201cRecent apps\u201d screen to avoid discovery and uses the `com.google.xxx` package name to avoid detection.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f", "created": "2020-11-10T17:08:35.644Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:18.235Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--76336d14-0dcb-4fc4-8423-9996dca9a9f2", "created": "2024-04-02T19:47:46.198Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:34.575Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) has used obfuscation techniques to hide its hardcoded C2 address.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--76561fe4-98a3-4a7c-8be5-04730cbab146", "created": "2026-02-16T15:59:09.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:04:33.979Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has requested for the `READ_CONTACTS` and `WRITE_CONTACTS` permissions and has the ability to send contact information.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847", "created": "2022-04-06T13:30:03.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:34.987Z", "description": "Users should be taught that Device Administrator permissions are very dangerous, and very few applications need it.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7696b512-ba2f-4310-86e1-7c528529fc5e", "created": "2020-09-15T15:18:12.425Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:18.732Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of [FakeSpy](https://attack.mitre.org/software/S0509) encrypt the C2 address.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--76abec4d-469b-4f99-8c8d-625adca37702", "created": "2025-10-08T14:41:20.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:41:20.204Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has captured audio from the device by taking control of the microphone.(Citation: Lookout_DCHSpy_July2025) ", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--76cc66f4-ce85-4873-a63e-879b4a14a540", "created": "2023-03-03T16:23:20.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:35.423Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has connected to the C2 server via HTTP.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--76f852f3-f218-40e2-8fa1-6fb15c4cbf98", "created": "2023-10-10T15:33:59.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:35.648Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has masqueraded as legitimate media player, social media, and VPN applications.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--77740738-9796-4991-8898-dc2ba10c9c25", "created": "2025-09-17T15:30:01.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-17T15:30:01.513Z", "description": "OS feature updates often enhance security and privacy around permissions. ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--77efa84c-5ef0-4554-b774-2dbfcca74087", "created": "2020-10-29T19:20:58.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:19.227Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889", "created": "2023-08-04T18:30:58.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:36.312Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can access a device\u2019s location.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45", "created": "2023-02-06T19:47:26.528Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:36.530Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has been distributed in obfuscated and packed form.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164", "created": "2020-01-27T17:49:05.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:19.672Z", "description": "(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", "target_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9", "created": "2024-01-26T17:44:59.987Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:36.957Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) may use the `BOOT_COMPLETED` action to trigger further scripts on boot.(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7885c84c-b832-42d4-b3d3-49b82849262f", "created": "2024-03-26T19:04:53.270Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:37.162Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can collect and exfiltrate WhatsApp media, photos and files with specific extensions, such as .pdf and .doc.(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--789699c2-44f1-4280-bf86-ab23e6a13e84", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:37.365Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads calendar events and reminders.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:20.336Z", "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's phone number, mobile device unique identifier (IMEI).(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f", "created": "2019-09-03T19:45:48.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:37.773Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:20.714Z", "description": "[BrainTest](https://attack.mitre.org/software/S0293) stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf", "created": "2020-09-11T15:43:49.309Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:20.924Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can send SMS messages from a device.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57", "created": "2023-12-18T19:04:37.052Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:38.388Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can enumerate files on external storage.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7", "created": "2020-11-24T17:55:12.889Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:38.601Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can request device administrator permissions.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7965128c-89d6-411e-b765-c60e0cae96c6", "created": "2023-02-06T19:40:36.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:38.822Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can manipulate clipboard data to replace cryptocurrency addresses.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--797e82a0-0132-4adc-8885-c9e9d88386dd", "created": "2024-03-28T18:26:51.242Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:39.033Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to record phone calls.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--79872876-cb90-4371-9819-1bc51219d3f4", "created": "2026-02-16T15:59:27.969Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:05:44.094Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has requested for the `CALL_PHONE` permission to make phone calls.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1", "created": "2022-04-06T13:52:46.831Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:39.258Z", "description": "Android 7 changed how the Device Administrator password APIs function.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--79cfdbac-3e7c-4d47-a85b-b735061b215a", "created": "2021-10-07T12:21:31.535Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T22:25:42.526Z", "relationship_type": "revoked-by", "source_ref": "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", "target_ref": "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--79ef0025-3e1c-4914-9873-19808c2a5bec", "created": "2023-02-28T21:44:22.373Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:39.457Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record the screen and stream the data off the device.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:21.745Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7a06bcec-4d1a-4b50-89f8-36f145512050", "created": "2025-10-08T20:12:59.696Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:12:59.696Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has captured the device\u2019s screen.(Citation: ThreatFabric_Chameleon_Dec2023)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--7a50961b-9be4-4042-a6a0-878b612c520e", "created": "2019-07-10T15:25:57.602Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:21.948Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) uses the device microphone to record phone conversations.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac", "created": "2023-12-18T18:14:01.632Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:40.080Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can search for specifically installed security applications.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f", "created": "2020-12-24T22:04:28.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:22.291Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has sent messages to an attacker-controlled number.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7accde36-cb29-43c6-8c66-6486efd867a8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:22.464Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather GPS coordinates.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7ae22228-126b-4661-b378-6cdc0b90f35d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--f06f44c7-97ff-4f8d-8c72-650c98e0ebdc", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:22.655Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the victim for status and disables other access to the phone by other jailbreaking software.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024", "created": "2022-04-15T18:11:06.097Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Skycure-Profiles", "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20150203010257/https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:40.915Z", "description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.(Citation: Skycure-Profiles)", "relationship_type": "uses", "source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f", "created": "2022-04-01T18:49:19.284Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:41.112Z", "description": "Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. Android 7 introduced updates that revoke standard device administrators\u2019 ability to reset the device\u2019s passcode.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046", "created": "2022-04-05T17:14:35.469Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:41.345Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14", "created": "2020-06-26T15:32:25.043Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:41.556Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) disables Google Play Protect to prevent its discovery and deletion in the future.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb", "created": "2019-08-09T16:19:02.782Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android Capture Sensor 2019", "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019.", "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:41.771Z", "description": "Android 9 and above restricts access to microphone, camera, and other sensors from background applications.(Citation: Android Capture Sensor 2019) ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531", "created": "2019-08-07T15:57:13.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:23.400Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7ba30703-c3aa-425a-9482-9e9941fd7038", "created": "2020-12-24T21:45:56.961Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:23.660Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access the camera on the device.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890", "created": "2023-01-18T19:09:40.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:42.427Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can record the screen via the `MediaProjection` library to harvest user credentials, including biometric PINs.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:42.648Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) gathers contacts from the system by dumping the victim's address book.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7bb81707-5a6b-4332-8c32-4af208db7ae1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--a6da6dc3-19fe-4d1c-ab77-843c08377a19", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e", "created": "2023-07-21T19:34:29.630Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:42.849Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can take and exfiltrate screenshots.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7bc6460d-b36e-41ed-baa0-82d54ec19e57", "created": "2023-08-04T18:58:19.825Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:43.059Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can exfiltrate data back to the C2 server using HTTP.(Citation: lookout_hornbill_sunbird_0221) ", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc", "created": "2020-04-08T15:41:19.400Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:43.275Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can modify administrator settings and disable Play Protect.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47", "created": "2023-06-09T19:19:56.840Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:43.486Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) has monitored for SMS and WhatsApp notifications.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7c6207c7-d738-4a17-8380-595c86574b64", "created": "2020-09-11T16:22:03.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:24.553Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can track the device\u2019s location.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7c67e8eb-4967-4858-8bfe-bb68c3f30cfd", "created": "2025-04-15T18:12:30.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:43.907Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected device information such as IMEI, phone number, MAC address and IP address.(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7c8dadca-5cc0-40d0-a946-afa99c99cbaf", "created": "2026-03-09T15:47:11.905Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:47:11.905Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has requested for `android.permission.READ_PHONE_STATE` to collect information about the device.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56", "created": "2019-09-03T20:08:00.737Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:44.111Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) abuses accessibility features to intercept all interactions between a user and the device.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7caf7bf7-7b53-4e5c-8c18-db8d6698e421", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b5259538-b169-47fd-a57c-521ad3f3a858", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562", "created": "2023-07-21T19:38:52.085Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:44.322Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) uses unencrypted HTTP traffic between the victim and C2 infrastructure.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7d481598-ece7-469c-b231-619a804c25e5", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:44.545Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures SMS messages that the victim sends or receives.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688", "created": "2020-05-07T15:33:32.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:44.778Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can hide its icon from the application launcher.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7db33293-6971-4c0d-88e0-18f505ebd943", "created": "2022-04-05T20:11:51.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:44.990Z", "description": "Recent OS versions have made it more difficult for applications to register as VPN providers. ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f", "created": "2020-12-24T22:04:28.005Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:25.376Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has taken photos with the device camera.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7defdb15-65d1-40ca-a9da-5c0484892484", "created": "2020-04-24T17:46:31.616Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:45.646Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can be controlled via encrypted SMS message.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:45.848Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881", "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed", "created": "2019-07-10T15:35:43.668Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:46.054Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) accesses the device contact list.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7e5a6195-11f7-4862-845c-78a9c4fea3fc", "created": "2026-03-09T15:45:34.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:45:34.631Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has requested for `android.permission.DISABLE_KEYGUARD` to disable the device lock screen password.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad", "created": "2020-11-20T16:37:28.429Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:26.392Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect images, videos, and attacker-specified files.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4", "created": "2020-04-08T15:41:19.340Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:46.713Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can use its ransomware module to encrypt device data and hold it for ransom.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030", "created": "2022-03-30T20:42:04.251Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:46.921Z", "description": "Users should be advised to be extra scrutinous of applications that request location, and to deny any permissions requests for applications they do not recognize.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e", "created": "2023-12-18T18:15:38.261Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:47.136Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can check to see if it has been installed in a virtual environment.(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7f47cd7f-9090-4f19-89e0-db75c586547a", "created": "2026-02-16T15:58:35.392Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:03:28.406Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has requested for the `READ_CALL_LOG` and `WRITE_CALL_LOG` permissions and has the ability to send call logs.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--7f4e1ac1-145e-4983-b735-7f70003893aa", "created": "2023-08-04T18:29:35.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:47.367Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate call logs.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7fa860d3-fa92-4953-8e79-05238b7dff99", "created": "2024-03-29T15:04:39.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:47.580Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BankInfoSecurity-BackDoor", "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.", "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534" }, { "source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:47.788Z", "description": "[Adups](https://attack.mitre.org/software/S0309) was pre-installed on Android devices from some vendors.(Citation: NYTimes-BackDoor)(Citation: BankInfoSecurity-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9", "created": "2019-07-16T14:33:12.113Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Krebs-Triada June 2019", "description": "Krebs, B. (2019, June 25). Tracing the Supply Chain Attack on Android. Retrieved July 16, 2019.", "url": "https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/" }, { "source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:48.008Z", "description": "[Triada](https://attack.mitre.org/software/S0424) was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.(Citation: Google Triada June 2019)(Citation: Krebs-Triada June 2019)", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--806a9338-be20-4eef-aa54-067633ac0e58", "created": "2020-04-08T15:41:19.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:48.276Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the device\u2019s GPS location.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--80778a1e-715d-477b-87fa-e92181b31659", "created": "2020-12-24T21:45:56.967Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:48.473Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9", "created": "2021-01-05T20:16:20.502Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:27.440Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can take screenshots.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--80eb5ebc-ae6f-461e-8e78-a18702249343", "created": "2023-12-18T18:14:53.862Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:48.920Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can hide incoming calls by setting ring volume to 0 and showing a blank screen overlay.(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--80fecb31-36e5-41e7-8064-15ccd22dbe8a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--37c50db7-2081-4e24-91d0-787e091ea75a", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d", "created": "2023-09-28T17:40:03.722Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zimperium FlyTrap", "description": "A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023.", "url": "https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/" }, { "source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:49.142Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect Facebook account information, such as Facebook ID, email address, cookies, and login tokens.(Citation: Trend Micro FlyTrap)(Citation: Zimperium FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8128aebb-c665-4939-9615-aee9125b6373", "created": "2025-08-29T22:05:18.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-08T14:31:22.774Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has intercepted and recorded sensitive information from the application to include user credentials. [GodFather](https://attack.mitre.org/software/S1231) has also leveraged a deceptive overlay that tricks users into submitting their device lock credentials which are captured.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--81722aad-f503-4a74-91d5-1843adf8a995", "created": "2023-08-16T16:36:04.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" }, { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:17:26.651Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has prevented application removal by abusing Accessibility Services.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--817d1e5f-5795-4189-81dc-bf90476e7adc", "created": "2025-10-22T21:26:05.954Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-22T21:26:05.954Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has sent the victim back to the home screen when the victim navigates to the malicious application's settings and has automatically approved any permission requests by clicking on the \"Allow\" button when a system dialogue appears.(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--8186d2f5-5040-4ba4-b144-7fea7b3e9a55", "created": "2026-04-20T13:23:42.252Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Check Point Wirte NOV 2024", "description": "Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.", "url": "https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-20T13:23:42.252Z", "description": "[SameCoin](https://attack.mitre.org/software/S9030) can use libexampleone.so to list files to be deleted.(Citation: Check Point Wirte NOV 2024)", "relationship_type": "uses", "source_ref": "malware--4e164a21-3fbe-4aaa-be69-2513fdba90f7", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--818b8c2b-bd23-4a83-9970-d42063608699", "created": "2020-04-24T15:06:33.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:49.581Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device contacts.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--81d4d8cf-3785-4847-9c9e-5ea27580f93a", "created": "2024-03-26T19:13:47.350Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/" }, { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" }, { "source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:49.800Z", "description": "(Citation: welivesecurity_apt-c-23)(Citation: fb_arid_viper)(Citation: checkpoint_hamas_android_malware)(Citation: sophos_android_apt_spyware)", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--81db3270-4cb8-4982-8ff8-c28a874e8421", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-DressCode", "description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:28.211Z", "description": "[DressCode](https://attack.mitre.org/software/S0300) sets up a \"general purpose tunnel\" that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.(Citation: TrendMicro-DressCode)", "relationship_type": "uses", "source_ref": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f", "created": "2020-06-02T14:32:31.906Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:50.467Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.(Citation: Volexity Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint-Judy", "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:28.561Z", "description": "[Judy](https://attack.mitre.org/software/S0325) bypasses Google Play's protections by downloading a malicious payload at runtime after installation.(Citation: CheckPoint-Judy)", "relationship_type": "uses", "source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--821db003-f7ad-4e28-b07d-2e3fc4f208a7", "created": "2025-03-24T20:13:39.921Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:50.898Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has communicated with the C2 using ports 52202, 51200, 43201, 43202, 43203, and 21202.(Citation: Threatfabric LightSpy 2023) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--82555171-8b78-40f3-84d9-058359ae808a", "created": "2020-09-24T15:34:51.244Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:28.916Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can send and block SMS messages.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--825ffecc-090f-44c8-87be-f7b72e07f987", "created": "2022-04-01T18:43:15.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:51.565Z", "description": "Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d", "created": "2024-02-20T23:45:08.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:51.767Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device network configuration information, such as mobile network operator.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--828417ec-c444-41c8-95b4-c339c5ecf62b", "created": "2022-03-30T20:48:00.360Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:51.965Z", "description": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--82a51cc3-7a91-43b0-9147-df5983e52b41", "created": "2020-12-14T15:02:35.208Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:52.168Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has communicated with the C2 using HTTP POST requests.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--82e93a9e-6968-497f-8043-a08d0f35bd32", "created": "2023-10-10T15:33:57.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Anubis", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html" }, { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:52.612Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) has requested accessibility service privileges while masquerading as \"Google Play Protect\" and has disguised additional malicious application installs as legitimate system updates.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--82f12052-783e-40e4-8079-d9c030c310fd", "created": "2022-03-30T20:08:40.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:52.819Z", "description": "Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--82f51cc6-6ce4-459e-b598-7b2b77983469", "created": "2020-04-24T15:06:33.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:53.011Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect SMS messages.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--83358774-0857-429c-9f7a-151403e52881", "created": "2023-10-10T15:33:59.912Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:53.221Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) has used names like WhatsApp and Netflix.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:53.428Z", "description": "[Xbot](https://attack.mitre.org/software/S0298) steals all SMS message and contact information as well as intercepts and parses certain SMS messages.(Citation: PaloAlto-Xbot)", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:53.650Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects SMS messages.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b", "created": "2024-04-02T19:14:02.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:53.854Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can retrieve a device\u2019s SMS messages.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:30.384Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) gathered system information including phone number, OS version, phone model, and SDK version.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--83d95d05-7545-4295-894b-f33a2ba1063b", "created": "2020-12-17T20:15:22.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:54.274Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has registered several broadcast receivers.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--841dcc87-1c22-4775-abe8-606aa6a48bf7", "created": "2025-03-24T17:48:43.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "FirshSecureList LightSpy 2020", "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.", "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:54.487Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has captured environment audio, phone calls and Voice over IP (VoIP) calls.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--848581bc-bf8f-40e2-871e-cd67042b4adf", "created": "2023-01-18T19:14:40.120Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:54.709Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use overlays to steal user banking credentials entered into legitimate sites.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8499ffce-1045-4a8a-9e09-ec53d535a021", "created": "2023-10-10T15:33:58.887Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:54.944Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has masqueraded as VPN and Android system apps.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--84dbe7c6-421b-4bfb-b022-6c585c2e50c4", "created": "2023-10-10T15:33:59.401Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:55.230Z", "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) distributed malware as repackaged legitimate applications, with the malicious code in the `com.golf` package.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0", "created": "2024-03-26T19:05:36.787Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:55.443Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can download additional malware to the victim device.(Citation: fb_arid_viper) ", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c", "created": "2024-02-21T20:53:10.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:55.649Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103", "created": "2019-09-23T13:36:08.341Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:55.862Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8578441b-00d2-4416-a011-380647e6ccdd", "created": "2024-02-21T20:44:44.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:56.064Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:31.639Z", "description": "[Charger](https://attack.mitre.org/software/S0323) checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--85d9c54e-a434-4533-9755-aff1aeb9cc23", "created": "2025-03-28T15:02:49.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:56.484Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used HTTPS POST requests for C2 communication.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02", "created": "2020-06-26T15:32:25.144Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Cerberus", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:56.712Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 server using HTTP.(Citation: CheckPoint Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3", "created": "2020-07-15T20:20:59.287Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:56.912Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can disable Play Protect.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--86170d29-0e41-44d0-94b0-de7d23718302", "created": "2022-04-05T19:42:39.957Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android 12 Features", "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022.", "url": "https://developer.android.com/about/versions/12/features" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:57.115Z", "description": "The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788", "created": "2020-05-07T15:33:32.903Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:57.345Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) deletes infected applications\u2019 update packages when they are detected on the system, preventing updates.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8", "created": "2022-04-05T19:49:59.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:57.561Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--867b4929-20f2-47cd-9ab3-43a5a6ea98b5", "created": "2023-06-09T19:19:38.523Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:57.767Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f", "created": "2022-04-06T13:39:39.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:57.975Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3", "created": "2020-05-04T14:04:56.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:32.743Z", "description": "[Bread](https://attack.mitre.org/software/S0432) collects the device\u2019s IMEI, carrier, mobile country code, and mobile network code.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8726b157-3575-450f-bb7f-f17bb18e6aef", "created": "2022-03-30T20:41:43.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:58.380Z", "description": "New OS releases frequently contain additional limitations or controls around device location access.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--873b98de-d7cf-471b-9aa2-229eb03c9165", "created": "2020-09-15T15:18:12.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:33.057Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device information, including OS version and device model.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--875dc21d-92c3-45bf-be37-faa44f4449bf", "created": "2020-06-02T14:32:31.891Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:58.808Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s contact list.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298", "created": "2020-12-14T15:02:35.297Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:59.022Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect the device\u2019s contact list.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8870c211-820a-46a1-96fc-02f4e6eaec03", "created": "2020-11-10T16:50:39.134Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:33.553Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). [CarbonSteal](https://attack.mitre.org/software/S0529) has also called `netcfg` to get stats.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--88de8869-2b01-4702-8518-e4e78fde44d9", "created": "2023-07-12T20:45:18.766Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:59.671Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--88ded3fb-759e-4e96-946b-e7148c54856e", "created": "2022-04-08T16:29:30.371Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:49:59.882Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--88e33687-e999-42c8-b46b-49d2adfa17d0", "created": "2022-04-01T15:02:04.528Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:00.085Z", "description": "Apple regularly provides security updates for known OS vulnerabilities. ", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03", "created": "2020-12-17T20:15:22.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:33.996Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device\u2019s microphone.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--891edea2-817c-4eeb-9991-b6e095c269a8", "created": "2020-06-02T14:32:31.903Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:00.513Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve the call history.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0", "created": "2020-04-24T15:12:11.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:34.411Z", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) requests permissions to use the device camera.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--89565753-23c4-422d-a9ba-39f4101cd819", "created": "2020-11-20T16:37:28.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:34.636Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can track the device\u2019s location.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05", "created": "2024-03-26T19:03:34.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:01.388Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can record phone calls.(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8a255d63-a770-4b9d-911c-bd906733ceef", "created": "2023-01-18T19:24:36.689Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:01.599Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) has C2 commands that can move the malware in and out of the foreground. (Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724", "created": "2022-04-01T15:02:21.344Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:01.813Z", "description": "Device attestation can often detect jailbroken devices. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be", "created": "2023-07-21T19:35:34.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:02.027Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can access browser history and bookmarks, and can list all files and folders on the device.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3", "created": "2020-09-11T14:54:16.615Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:35.320Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record videos.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8b27a786-b4d9-4014-a249-3725442f9f1d", "created": "2021-01-05T20:16:20.499Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:35.513Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can obtain a list of installed applications.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9", "created": "2020-09-11T14:54:16.649Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:02.696Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect the device\u2019s contact list.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8b3756f1-327a-4625-bde0-26b216ecb07a", "created": "2025-03-28T14:41:27.693Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:02.903Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has obtained a list of files using the `fts` API and has obtained files that match a specified regular expression.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711", "created": "2023-02-06T20:12:17.434Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:03.101Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_CALL_LOG` permission.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785", "created": "2024-04-03T20:10:01.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CitizenLab Great iPwn", "description": "Marczak, B., et al. (2020, December 20). The Great iPwn. Retrieved April 3, 2024.", "url": "https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:03.316Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has been distributed via malicious links in SMS messages.(Citation: CitizenLab Great iPwn)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781", "created": "2020-04-24T15:06:33.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:36.091Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can record MP4 files and monitor calls.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8b9c56b9-0807-4ce7-ad81-428aaf0e925b", "created": "2025-09-18T14:41:56.525Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:41:56.525Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected the device\u2019s last known location.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556", "created": "2019-09-04T15:38:56.678Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm" }, { "source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:03.916Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is capable of hiding SuperSU's icon if it is installed and visible.(Citation: FortiGuard-FlexiSpy) [FlexiSpy](https://attack.mitre.org/software/S0408) can also hide its own icon to make detection and the uninstallation process more difficult.(Citation: FlexiSpy-Features)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52", "created": "2023-01-19T18:07:52.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:04.116Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can exfiltrate collected user data, including credentials and authorized cookies, via email.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8bcc9da8-c390-4151-b72d-30604820673e", "created": "2023-08-04T19:05:04.644Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:04.323Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can search for installed applications such as WhatsApp.(Citation: lookout_hornbill_sunbird_0221) ", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91", "created": "2020-12-18T20:14:47.369Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:04.767Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has registered several broadcast receivers.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8c50e9e7-e13c-4814-98d0-088d73b10005", "created": "2023-03-03T16:21:24.531Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:04.996Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has modified Safari\u2019s default search engine, bookmarked websites, opened pages, and accessed contacts and authorization tokens of the IM program \u201cQQ\u201d on infected devices.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8c5b7bb2-e431-4dcd-a27c-ea9101086a9f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--63b2446e-fa01-4440-bcd6-0f8505d630a6", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--8c656539-aa1e-42db-9016-d38f1daaae16", "created": "2023-01-18T19:20:26.156Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:05.220Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can collect user SMS messages.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e", "created": "2021-01-05T20:16:20.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:37.204Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can check the device\u2019s battery status.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b", "created": "2020-09-11T14:54:16.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:05.862Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can delete copies of itself if additional APKs are downloaded to external storage.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:06.069Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can use SMS for command and control.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8d027310-93a0-4046-b7ad-d1f461f30838", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:37.643Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) has the ability to dynamically download and execute new code at runtime.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8d3ca04e-867f-4274-bc61-f18c0282a0a9", "created": "2023-08-04T18:29:54.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:06.485Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate a device's contacts.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b", "created": "2023-02-06T19:47:08.535Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:06.715Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has code to encrypt device data with AES.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803", "created": "2023-02-06T19:05:00.862Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:06.920Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can obtain a list of installed applications.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b", "created": "2023-10-10T15:33:58.186Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:07.387Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) has masqueraded as \u201cAdobe Flash Player\u201d and \u201cGoogle Play Verificator\u201d.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de", "created": "2023-01-18T19:16:45.773Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:07.599Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) has used custom encryption to hide strings, potentially to evade antivirus products.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8e9cacb4-f265-4a4e-9f80-853c7cfa791f", "created": "2026-03-09T15:31:04.111Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:31:04.111Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has searched for files with specific extensions, such as .txt, .jpg, .Om4a, .aac and .opus, before exfiltration.(Citation: ESET_VajraSpy_Feb2024) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--8ea39534-6fe9-404c-94b7-0f320af95404", "created": "2022-04-01T15:17:21.511Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:07.834Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc", "created": "2019-09-23T13:36:08.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:38.463Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) retrieves a list of installed applications and sends it to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:38.646Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted location information.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8f142643-0448-4b04-8260-8e4e62ad80bb", "created": "2023-08-04T18:34:42.357Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:08.467Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can download adversary specified content from FTP shares.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8f15a917-d5e6-4ce3-ab3f-9fe72311f699", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ea1efe01-98ef-4a49-a30d-72fde6750985", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8", "created": "2022-03-30T18:06:21.355Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec-iOSProfile2", "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018.", "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles" }, { "source_name": "Android-TrustedCA", "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018.", "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:08.676Z", "description": "Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8f2929a9-cd25-4e07-b402-447da68aaa56", "created": "2020-04-24T15:06:33.455Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:08.908Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc", "created": "2020-07-15T20:20:59.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:39.153Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) obfuscates its hardcoded C2 URLs.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8f478d97-f163-4476-b5b6-c2ff4b6389a7", "created": "2025-05-19T18:25:30.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-05-19T18:25:30.412Z", "description": "For Android devices, users should be advised to enable Google Play Protect, which checks the device itself and the applications for malicious behavior. For iOS devices, users who are concerned about being targeted should consider enabling Lockdown Mode, which provides extreme protection of the device as well as data stored and transmitted. \nIn general, users should be advised against scanning QR codes and/or clicking on suspicious links or text messages, which may masquerade as device-linking instructions by Signal or WhatsApp.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68", "created": "2023-06-09T19:15:30.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:09.324Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect voice notes and messages from WhatsApp, if installed.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57", "created": "2020-11-24T17:55:12.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:09.522Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can wipe the device.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3", "created": "2020-04-08T15:41:19.404Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:09.727Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can steal the device\u2019s contact list.(Citation: Cofense Anubis) ", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5", "created": "2019-09-03T19:45:48.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:09.937Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can record audio from the compromised device's microphone and can record call audio in 3GP format.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9", "created": "2022-03-30T14:26:02.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android Changes to System Broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:10.145Z", "description": "Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts) ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--8ff45341-60d6-40d3-bb38-566814a466f9", "created": "2020-07-20T13:27:33.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:10.390Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can perform primitive emulation checks.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--901492b5-b074-4631-ad6e-4178caa4164a", "created": "2020-12-24T22:04:28.017Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:39.967Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has recorded calls and environment audio in .amr format.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--904221c2-2486-4e0b-905f-5327ee299097", "created": "2025-09-18T14:39:57.218Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:39:57.218Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected device information such as model, brand, buildId, Android version and manufacturer.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a", "created": "2023-09-28T17:39:24.890Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:10.815Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect device geolocation data.(Citation: Trend Micro FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--90d4d964-efa2-46ac-adc2-759886e07158", "created": "2020-10-29T17:48:27.325Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:11.016Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) has used HTTPS for C2 communication.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861", "created": "2021-02-08T16:36:20.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:11.383Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--90e76d57-90b2-4d5d-8928-f6e6f5414bd4", "created": "2025-03-24T17:56:46.563Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FirshSecureList LightSpy 2020", "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.", "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/" }, { "source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:11.602Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has delivered malicious links through Telegram channels and Instagram posts.(Citation: FirshSecureList LightSpy 2020)(Citation: Shoshin_Kaspersky LightSpy 2020) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:11.803Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) captures SMS data.(Citation: Zscaler-SuperMarioRun)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--91831379-b0da-4019-a7bb-17e53cda9d0b", "created": "2020-12-31T18:25:05.131Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:40.845Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has utilized native code to decrypt its malicious payload.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--918b985b-8731-4fc6-a505-4e070e7fca3b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--48e300f8-190e-46fa-a56d-8701f7a152d3", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--919a13bc-74be-4660-af63-454abee92635", "created": "2019-03-11T15:13:40.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-Anserver2", "description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:41.074Z", "description": "\n[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device IMEI and IMSI.(Citation: TrendMicro-Anserver2)", "relationship_type": "uses", "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd", "created": "2025-03-12T22:10:30.974Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:12.618Z", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has masqueraded as legitimate banking applications.(Citation: Promon FjordPhantom Oct2024) ", "relationship_type": "uses", "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27", "created": "2020-07-20T13:27:33.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:41.480Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489)\u2019s code is obfuscated.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--91fa8232-f987-415b-8cb4-1ff3302a6c63", "created": "2025-03-27T22:37:35.890Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Europol FluBot Jun2022", "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.", "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:13.011Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) has been distributed via malicious links in SMS messages.(Citation: Europol FluBot Jun2022) ", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--920be05e-3d07-4e69-b28d-d8669cf43fd7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--2d8db41e-e12e-46ff-be11-2810b0a2acb5", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--92129d5b-7822-4e84-8a69-f96b598fba9e", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:41.871Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses databases from WhatsApp, Viber, Skype, and Line.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--922fa6eb-7274-477c-821e-ae6684c08934", "created": "2024-04-02T19:28:17.558Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:13.424Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) has used phishing sites for iCloud and Facebook if either of those were used for authentication during the chat sign up process.(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea", "created": "2019-10-18T14:52:53.193Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:13.614Z", "description": "Device attestation could detect devices with unauthorized or unsafe modifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb", "created": "2020-06-26T14:55:13.261Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:42.445Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--92cc4942-453e-49af-bc04-18cb99493b73", "created": "2025-03-28T15:13:08.761Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:14.000Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have collected and exfiltrated SMS messages.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--930c3a54-e728-41e8-8f5b-6dd3408de343", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--1cabf349-a457-422b-a179-475795013f8a", "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0", "created": "2019-08-07T15:57:13.453Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:14.228Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--935d2296-2a9d-42dd-af8c-2d8873dd7e8f", "created": "2024-03-28T18:11:37.535Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:14.420Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to modify permissions on a rooted device and tried to disable the SecurityLogAgent application.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:14.651Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) enables remote control of the victim through SMS channels.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c", "created": "2019-07-10T15:35:43.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:43.023Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) queries the device for metadata, such as device ID, OS version, and the number of cameras.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9373912a-affa-4a3c-ad97-1b8311e228ee", "created": "2019-09-04T14:28:15.991Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:43.262Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9398bf9d-be77-4ac2-acea-893152cafd16", "created": "2022-03-30T14:43:46.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:15.255Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016", "created": "2022-04-15T18:12:53.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:15.458Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can install attacker-specified certificates to the device's trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.(Citation: Xiao-KeyRaider)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--93b6bf37-5614-4317-8ed7-42f098152c40", "created": "2023-02-28T20:39:18.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:15.670Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use a SOCKS proxy to evade C2 IP detection.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--93c16b23-305c-418d-9792-6e44525ed85a", "created": "2024-04-02T19:14:26.097Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:15.862Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can access a device\u2019s location.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--93c20f43-6684-471c-910f-d9577f289677", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:16.045Z", "description": "In at least one case, [Stealth Mango](https://attack.mitre.org/software/S0328) may have been installed using physical access to the device by a repair shop.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:43.927Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) update and sends the location of the phone.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a", "created": "2024-03-29T15:05:34.232Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:16.448Z", "description": "Certain enterprise policies can be applied to prevent users from adding certificates to the device and to prevent applications from being able to install their own certificates. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9432fabf-9487-469c-86c9-b9d26b013c85", "created": "2022-04-01T13:13:10.587Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:16.672Z", "description": "Call Log access an uncommonly needed permission, so users should be instructedto use extra scrutiny when granting access to their call logs. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348", "created": "2022-04-20T17:42:11.714Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:16.854Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses standard HTTP for exfiltration.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--947abdad-2978-420e-abb5-8c8cf30fb291", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--973a4da0-af9c-4d57-ab62-21fbc308f8b3", "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f", "created": "2019-12-10T16:07:41.083Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:17.054Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) can enable installation of apps from unknown sources.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4", "created": "2022-03-28T19:30:27.364Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:17.261Z", "description": "Security updates may contain patches to integrity checking mechanisms that can detect unauthorized hardware modifications.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f", "created": "2022-03-28T19:25:38.355Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:17.452Z", "description": "Security updates may contain patches that inhibit system software compromises.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--950e1476-83ca-4e81-b542-c91a19b206d7", "created": "2020-04-24T17:46:31.466Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:44.737Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device information such as network operator, model, brand, and OS version.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9557dc5c-272d-46ba-bd39-0ac2be35df19", "created": "2024-04-02T19:42:50.418Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:17.876Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) has disabled play protect.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9565144c-46b3-4b15-96ba-21cc0dc6d7fd", "created": "2025-10-08T14:38:02.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:38:02.412Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has accessed the device\u2019s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued.(Citation: Lookout_DCHSpy_July2025)", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--95725b00-f40e-4a3a-af2a-92156595cd37", "created": "2024-04-03T20:07:44.446Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CitizenLab Great iPwn", "description": "Marczak, B., et al. (2020, December 20). The Great iPwn. Retrieved April 3, 2024.", "url": "https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:18.077Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has used zero-day iMessage exploits for initial access.(Citation: CitizenLab Great iPwn)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--95bf4e8b-f388-48a0-b236-c2077252e71e", "created": "2019-09-03T20:08:00.757Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:45.144Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers the device IMEI to send to the command and control server.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--95fec5e4-d48a-471f-8223-711cd32659b8", "created": "2022-04-01T18:49:51.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:18.519Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--96298aed-9e9f-4836-b29b-04c88e79e53e", "created": "2022-04-01T18:42:37.987Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:18.713Z", "description": "Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b", "created": "2020-12-17T20:15:22.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:45.553Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can steal data from various sources, including chat, communication, and social media apps.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--96475ee5-39ed-46c5-85f6-f08462875a9e", "created": "2024-03-26T18:43:39.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:19.140Z", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306", "created": "2020-05-07T15:33:32.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:45.840Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--96569099-db95-4f3c-8ded-6d9cf023e55e", "created": "2019-09-03T20:08:00.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:19.557Z", "description": " [Gustuff](https://attack.mitre.org/software/S0406) can use SMS for command and control from a defined admin phone number.(Citation: Talos Gustuff Apr 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--967ca7e3-4a3a-448a-b649-88329918aced", "created": "2026-02-16T16:00:26.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:00:26.529Z", "description": "Once accessibility permissions are granted, [DocSwap](https://attack.mitre.org/software/S9005) has abused the Accessibility Service to execute a keylogging capability.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--967e0bbc-879c-49b9-809b-cd55861709bd", "created": "2026-02-06T21:28:28.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:28:28.964Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to uninstall itself from the device.(Citation: ThreatFabric_Crocodilus_March2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31", "created": "2022-09-29T20:11:55.474Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:19.772Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of enumerating specific files on the infected devices.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--97158eda-5092-4939-8b5c-1ef5ab918089", "created": "2020-04-24T15:12:11.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:46.289Z", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) can collect device photos.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf", "created": "2020-09-11T14:54:16.617Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:46.485Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect account information stored on the device.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--97417113-1840-4e00-98d3-bb222e1a1f60", "created": "2020-07-27T14:14:56.980Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:46.765Z", "description": "[Zen](https://attack.mitre.org/software/S0494) base64 encodes one of the strings it searches for.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--974e07a2-1156-451e-b4f6-f9e77352fece", "created": "2025-10-08T14:42:56.875Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:42:56.875Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has uploaded collected data to a Secure File Transfer Protocol (SFTP) server.(Citation: Lookout_DCHSpy_July2025) ", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--97738857-d496-4d39-9809-1921e0ad10b7", "created": "2020-12-31T18:25:05.125Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:46.940Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can collect files from the filesystem and account information from Google Chrome.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--97ecb268-d1cd-48b2-a50e-9d7eac38602b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0c01c90a-c8a9-40ee-b143-1e5b00f11e1f", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--980430c1-6173-440e-b75e-c1cdb4c41560", "created": "2023-09-28T17:40:16.985Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zimperium FlyTrap", "description": "A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023.", "url": "https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:20.946Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can use HTTP to exfiltrate data to the C2 server.(Citation: Zimperium FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" }, { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:21.130Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) captures SMS messages.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39", "created": "2020-04-08T15:41:19.364Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:21.364Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can take screenshots.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9819974c-f093-482b-8b2b-93a05ab7382e", "created": "2023-08-04T18:31:48.507Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:21.571Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate browser history, BlackBerry Messenger files, IMO instant messaging content, and WhatsApp voice notes.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--982ca7e3-e5bd-4b06-8cf9-54435ef74f52", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ffbbeee2-1138-4743-905d-e2d605d00ecb", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--98360714-5239-442f-9619-d562b4b7ce76", "created": "2024-01-26T17:36:10.275Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:21.765Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) can steal data from a user\u2019s WhatsApp account(s).(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--98420345-5cf0-4145-b41b-54001847edb0", "created": "2026-02-06T21:33:48.884Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:33:48.884Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has communicated to HTTP C2 nodes.(Citation: ThreatFabric_Crocodilus_March2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3", "created": "2021-02-08T16:36:20.788Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:21.988Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included keylogging capabilities as part of Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--98632824-9fe4-4992-aafe-31c5eac66ec1", "created": "2023-12-18T18:18:22.618Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:22.220Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has exfiltrated data to the C2 server using HTTP requests.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e", "created": "2023-02-28T20:34:18.504Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:22.408Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use HTTP POST requests on port 80 for communicating with its C2 server.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--98ae9cb2-1141-48c6-81fd-f16adb430031", "created": "2023-01-18T19:17:07.565Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:22.600Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_EXTERNAL_STORAGE` and `WRITE_EXTERNAL_STORAGE` Android permissions.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9", "created": "2023-12-18T18:17:36.795Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" }, { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:22.823Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has masqueraded as legitimate WhatsApp updates and app security scanners.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--98b14660-79e1-4244-99c2-3dedd84eb68d", "created": "2020-09-11T14:54:16.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:48.267Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can track the device\u2019s location.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a", "created": "2020-11-20T16:37:28.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:23.271Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device\u2019s contact list.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--98f16b87-2caf-48cc-a6fc-41554ed8bf9d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--5a9d7ef3-35bf-4a89-8f61-084e2eecc070", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--99011840-f920-44d1-82f9-a6ff0d4f8c07", "created": "2024-03-26T19:05:15.623Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:23.677Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can collect device metadata.(Citation: fb_arid_viper) ", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4", "created": "2021-10-01T14:42:48.815Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:48.844Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can record from the device\u2019s camera.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--99517b2d-0d51-4718-be20-5cafc55b35a5", "created": "2026-03-09T15:32:12.564Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:32:12.564Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has requested for `android.permission.GET_ACCOUNTS`.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--9951d8c0-d210-4776-808b-421b613f244f", "created": "2019-09-23T13:36:08.463Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:24.065Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) hides its icon after first launch.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--998f03cf-7dbe-45b4-9103-a26d5b0383c7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--d314d955-a323-4e87-a8e5-317b0b8ed203", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f", "created": "2020-09-11T14:54:16.642Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:24.268Z", "description": "If running on a Huawei device, [Desert Scorpion](https://attack.mitre.org/software/S0505) adds itself to the protected apps list, which allows it to run with the screen off.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--99fabe9d-0202-4d12-aa7c-34e2a15b2648", "created": "2024-04-02T19:45:43.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:24.463Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can hide its icon.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9a575420-cdce-4a9f-9ea9-2ae5c469cad9", "created": "2023-09-25T19:44:41.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MoustachedBouncer ESET August 2023", "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", "url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:24.674Z", "description": "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used legitimate looking filenames for malicious executables including MicrosoftUpdate845255.exe.(Citation: MoustachedBouncer ESET August 2023)", "relationship_type": "uses", "source_ref": "intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9a90aacf-3b03-4100-a600-5c455d4e48de", "created": "2025-03-28T15:10:00.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:24.860Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used a microphone-recording module.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9b34ae1e-027f-4b52-9a4f-1e58f6efdc25", "created": "2023-06-09T19:16:28.560Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:25.056Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can take screenshots and can abuse accessibility services to scrape WhatsApp messages, contacts, and notifications.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78", "created": "2024-04-02T19:13:50.668Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:25.461Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can activate a device\u2019s camera.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9bbfa759-5555-4048-a79d-fed27a1efd93", "created": "2023-06-09T19:14:21.299Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:25.878Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can access images stored on external storage.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d", "created": "2022-04-01T17:06:06.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:26.276Z", "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to location information. Users should also protect their account credentials and enable multi-factor authentication options when available. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9c302eb1-1810-48a5-b34d-6aae303d2097", "created": "2022-04-01T15:16:26.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:26.465Z", "description": "Users should be instructed to not open links in applications they don\u2019t recognize.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9c545cbb-4949-4695-8d6b-b480478d3e20", "created": "2023-12-18T18:08:42.383Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:26.660Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can turn off or fake turning off the screen while performing malicious activities.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9c6b1915-24e2-48ac-909a-0af43053b053", "created": "2025-03-28T14:35:37.765Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:26.868Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has encrypted data using RSA.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:50.715Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole geo-location data.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9c853c22-7607-4cbd-b114-08aaa4625c35", "created": "2020-12-17T20:15:22.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:50.910Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can collect device information and can check if the device is running MIUI on a Xiaomi device.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9caeaf97-ca4e-4417-8148-d9a38b141047", "created": "2025-03-28T15:02:22.972Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:27.469Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used RSA to encrypt C2 communication.(Citation: SecureList OpTriangulation 21Jun2023)", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856", "created": "2020-05-04T14:04:56.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:28.073Z", "description": "[Bread](https://attack.mitre.org/software/S0432) communicates with the C2 server using HTTP requests.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9d264e84-27b2-4867-82c8-55486a969d7c", "created": "2020-12-17T20:15:22.489Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:51.632Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running processes.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de", "created": "2019-10-14T20:49:24.571Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:52.019Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about running processes.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9", "created": "2019-09-04T14:28:15.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:28.870Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can remount the system partition as read/write to install attacker-specified certificates.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c", "created": "2019-09-04T15:38:56.562Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:52.286Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can communicate with the command and control server over ports 12512 and 12514.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:52.551Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can monitor clipboard content.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9e458d77-c856-4b02-82a7-50947b232dc3", "created": "2021-10-01T14:42:49.183Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:52.729Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can download a payload or updates from either its C2 server or email attachments in the adversary\u2019s inbox.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CrowdStrike-Android", "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:52.936Z", "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was believed to have been used to obtain locational data of Ukrainian artillery forces.(Citation: CrowdStrike-Android)", "relationship_type": "uses", "source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9e77cf7d-41f2-41da-8bc3-491083a11d80", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--338779e6-0413-43e3-bfc8-71064a27ebeb", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--9f617f18-5b84-4fcd-a7e3-0e0d67a86192", "created": "2025-08-29T22:02:34.795Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:02:34.795Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has accessed the device\u2019s current cellular network information, including the phone number and the serial number.(Citation: MerkleScience_Godfather_April2023)", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--9f822445-67ed-41b4-ac55-a75940b5b9f6", "created": "2025-08-29T22:10:06.592Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:10:06.592Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has utilized a timer to initiate a WebSocket connection.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--9f83d618-a42d-4797-b9fe-030affdbd13f", "created": "2023-01-18T19:46:45.399Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:30.046Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can hide and send SMS messages. [SharkBot](https://attack.mitre.org/software/S1055) can also change which application is the device\u2019s default SMS handler.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7", "created": "2022-04-15T16:00:43.483Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:30.267Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) can turn off `VerifyApps`, and can grant Device Administrator permissions via commands only, rather than using the UI.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2", "created": "2020-07-15T20:20:59.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:30.464Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--9fabea31-9394-44a5-8641-ab5bcce07bb3", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--69f0f372-4bb1-4c0e-b81a-d425b2f6f31f", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5", "created": "2024-04-17T13:12:54.126Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:30.671Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can communicate with the C2 using HTTPS requests.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f", "created": "2022-03-30T20:07:33.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:31.052Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d", "created": "2020-10-29T19:21:23.235Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:53.946Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has hidden the C2 server address using base-64 encoding. (Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e", "created": "2022-03-30T13:45:39.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:31.464Z", "description": "Device attestation can often detect jailbroken or rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c", "created": "2019-11-21T19:16:34.820Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:31.679Z", "description": "[SimBad](https://attack.mitre.org/software/S0419) generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.(Citation: CheckPoint SimBad 2019)", "relationship_type": "uses", "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965", "created": "2020-04-08T15:51:25.106Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:54.328Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can obtain a list of installed applications.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415", "created": "2020-11-10T17:08:35.819Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:54.566Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device\u2019s location and track the device over time.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6", "created": "2019-11-21T16:42:48.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" }, { "source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:54.766Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect location information, including GPS coordinates.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a111958f-bb98-48c1-ad44-bf55fad232e9", "created": "2025-03-24T17:50:41.036Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FirshSecureList LightSpy 2020", "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.", "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:32.461Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected a list of cellular networks and connected Wi-Fi history using a LAN scanner based on MMLanScan.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f", "created": "2022-04-01T12:50:48.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:32.662Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a120ac54-32fa-43ad-a826-8325823b656d", "created": "2023-09-22T19:14:12.741Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:32.861Z", "description": "Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a153f40b-ba34-4419-9189-d61b5cd29802", "created": "2025-01-10T18:39:06.605Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-05T14:31:01.650Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can exfiltrate the call log.(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9", "created": "2020-07-20T13:27:33.548Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:55.375Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) uses `dumpsys` to determine if certain applications are running.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a186540d-d235-48f1-8757-d0b46f13c6ce", "created": "2023-06-09T19:20:23.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:33.480Z", "description": "(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f", "target_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41", "created": "2023-01-18T21:43:36.398Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:33.684Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can download attacker-specified files.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a1beac5f-7582-46b6-8e20-7d42797cc632", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--5d826975-65f1-4515-b8c1-15cecd3339ac", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f", "created": "2019-09-03T19:45:48.518Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:33.882Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can capture SMS messages.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a1fac829-275a-409a-9060-e7bd7c63057e", "created": "2020-12-18T20:14:47.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:55.846Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can obtain a list of installed apps.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58", "created": "2023-12-18T18:11:53.531Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:34.330Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can use both HTTP and WebSockets to communicate with the C2 server.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a20493e1-4699-405d-a291-c28aae8ed737", "created": "2022-04-18T16:53:24.617Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:34.529Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. [RedDrop](https://attack.mitre.org/software/S0326) also downloads additional components (APKs, JAR files) from different C2 servers.(Citation: Wandera-RedDrop) ", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a20581b4-21fa-4ed9-b056-d139998868e8", "created": "2019-09-04T14:28:15.970Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:34.727Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the device's contact list.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:34.953Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52", "created": "2019-09-23T13:36:08.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:35.136Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can use phishing overlays to capture users' credit card information.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a25a0454-d6da-4448-a3c5-33648ee6675a", "created": "2023-07-21T19:36:50.262Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:35.361Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect system information, such as Android version and device identifiers.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Gooligan Citation", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:56.801Z", "description": "[Gooligan](https://attack.mitre.org/software/S0290) steals authentication tokens that can be used to access data from multiple Google applications.(Citation: Gooligan Citation)", "relationship_type": "uses", "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a26a09cd-1718-403f-99f3-fdb127ac3599", "created": "2025-04-15T17:51:41.973Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-23T14:35:47.624Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has used the DeleteSpring plugin to render the device\u2019s user interface inoperable by disabling SpringBoard, which is iOS's home screen manager.(Citation: LinkedIn Dmitry LightSpy 2025) [LightSpy](https://attack.mitre.org/software/S1185) has used the BootDestroy plugin to prevent the victim device from booting by modifying the NVRAM parameter `auto-boot` to `false`.(Citation: LinkedIn Dmitry LightSpy 2025) Additionally, [LightSpy](https://attack.mitre.org/software/S1185) has renamed the Wi-Fi daemon to disable wireless connectivity.(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a27b771e-430b-4044-aa04-7e755f74ae2f", "created": "2025-03-27T22:47:30.734Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:35.979Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has searched for and has deleted the malicious iMessage attachment used in the initial access phase in various databases.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a285f343-09c3-49af-9c18-1dccf89e9009", "created": "2020-11-20T16:37:28.391Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:57.305Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect a directory listing of external storage.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd", "created": "2019-09-04T15:38:56.597Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:57.561Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) encrypts its configuration file using AES.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:57.773Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa", "created": "2020-11-24T17:55:12.903Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:57.963Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7", "created": "2024-03-26T18:39:59.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/" }, { "source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:37.165Z", "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) has masqueraded malware as legitimate applications.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: sophos_android_apt_spyware)", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a2ec4e16-8bc8-4fbf-a71d-d6356fbfc1c5", "created": "2025-09-18T14:40:56.210Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:40:56.210Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued.(Citation: ZimperiumGupta_RatMilad_Oct2022)", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1", "created": "2020-06-26T14:55:13.289Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:58.322Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android\u2019s accessibility service to capture data from installed applications.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d", "created": "2020-07-15T20:20:59.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:37.581Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) has used Firebase for C2.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a394e5e5-1d98-4e08-ba29-866cf7ff9a62", "created": "2025-04-15T18:08:29.509Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:37.790Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) injects libcynject.dylib into the SpringBoard process to enable audio/video recording.(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209", "created": "2020-04-24T15:06:33.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:37.983Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a3c4b392-2879-4f31-9431-3398e034851b", "created": "2022-04-06T13:52:37.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:38.228Z", "description": "Users should be cautioned against granting administrative access to applications.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c", "created": "2020-12-14T14:52:03.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:38.417Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:59.033Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can download executable code from the C2 server after the implant starts or after a specific command.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a3fbcfa8-941f-405a-bd71-a4e082be169f", "created": "2026-02-16T16:02:10.306Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:07:41.907Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to upload and download files via socket communication.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3", "created": "2020-12-14T14:52:03.283Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:38.816Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP requests over port 7878.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a451966b-f826-422b-9505-f564b9988a9c", "created": "2020-12-24T21:55:56.693Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:39.015Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used both FTP and TCP sockets for data exfiltration.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a466f8f0-c9da-46d1-80d0-b8654e727526", "created": "2023-08-04T18:33:37.920Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:39.232Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate a list of installed applications.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8", "created": "2023-02-06T18:59:15.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:39.435Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device information such as manufacturer, model, version, serial number, and telephone number.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d", "created": "2023-12-18T18:09:34.167Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" }, { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:39.632Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can insert a given string of text into a data field. [BRATA](https://attack.mitre.org/software/S1094) can abuse the Accessibility Service to interact with other installed applications and inject screen taps to grant permissions.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9", "created": "2020-12-24T21:55:56.753Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:29:59.721Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploit tools to gain root, such as TowelRoot.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a501ed56-2ae3-4dde-99db-a00ced43c05a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--d87dc800-38cb-4d82-b76e-3c501dbd9c0a", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a", "created": "2020-10-29T19:21:23.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:40.035Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has registered to receive the `BOOT_COMPLETED` broadcast intent to activate on device startup.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a54c8c09-c849-4146-a7cc-158887222a6d", "created": "2020-12-24T21:45:56.969Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:40.234Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access SMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a563fc97-a452-4348-a831-f4fb55c71e35", "created": "2023-03-03T16:22:45.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:40.437Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has used fake Verisign and Symantec certificates to bypass malware detection systems. [YiSpecter](https://attack.mitre.org/software/S0311) has also signed malicious apps with iOS enterprise certificates to work on non-jailbroken iOS devices.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a5b72279-f99e-4f03-8669-04322b40ee6b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:00.405Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) loads an encrypted DEX code payload.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d", "created": "2019-09-03T20:08:00.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:41.240Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) communicates with the command and control server using HTTP requests.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a609b20b-6955-4c59-84d4-a3496d95fba1", "created": "2023-12-18T18:18:05.554Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:41.626Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has compressed data with the `zlib` library before exfiltration.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860", "created": "2023-12-18T19:07:14.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:41.823Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can record the screen.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2", "created": "2020-07-27T14:14:57.020Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:42.033Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can modify the SELinux enforcement mode.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a67a9c6f-318a-4ca5-aa6a-1d6d88b5d523", "created": "2026-02-06T21:32:56.142Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:32:56.142Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to perform clicks, swipes (left, right, up and down) on the screen and actions such as \u201cBack,\u201d \u201cHome,\u201d and \u201cMenu.\u201d(Citation: ThreatFabric_Crocodilus_March2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072", "created": "2020-09-11T15:14:34.064Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SMS KitKat", "description": "S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.", "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:01.310Z", "description": "Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.(Citation: SMS KitKat)", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a68b17af-5277-4722-9a2d-0924f07ca421", "created": "2023-12-18T18:12:15.138Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:42.470Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can view a device through VNC.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2", "created": "2023-01-18T21:24:28.714Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:42.674Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use a Domain Generation Algorithm to decode the C2 server location.(Citation: nccgroup_sharkbot_0322) ", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:01.731Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collects and uploads information about changes in SIM card or phone numbers on the device.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a75ba401-40bf-4bc6-a2f5-01ee44df93a4", "created": "2026-03-09T15:26:00.766Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:26:00.766Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has collected and exfiltrated SMS messages.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--a76d731b-484c-442a-b1a3-255d8398aefd", "created": "2019-10-10T15:22:52.545Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:01.927Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:43.463Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses calendar entries.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a7c55178-6b02-4cae-b4fb-a664ac7d528e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b66555c6-297c-4769-affe-8f268b7c3c78", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:02.310Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a7dfad27-7bba-4593-87d1-86a5461cb957", "created": "2026-03-09T15:23:37.086Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:23:37.086Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has monitored and exfiltrated notifications from messaging applications and from SMS messages.(Citation: ESET_VajraSpy_Feb2024) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:43.860Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted contact lists.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a808c887-b2b8-4b05-9cab-47c918e48d48", "created": "2020-12-14T15:02:35.257Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:02.658Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can send SMS messages from compromised devices.(Citation: Securelist Asacub) ", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03", "created": "2020-12-24T21:45:56.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:44.274Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access call logs.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7", "created": "2019-03-11T15:13:40.425Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-Anserver2", "description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:03.021Z", "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device OS version, device build version, manufacturer, and model.(Citation: TrendMicro-Anserver2)", "relationship_type": "uses", "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a8565c17-7054-4d3f-bca5-6e17dc931491", "created": "2023-03-03T16:20:08.033Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:44.683Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has used private APIs to download and install other pieces of itself, as well as other malicious apps. (Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5", "created": "2019-09-03T20:08:00.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:03.392Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84", "created": "2019-07-10T15:35:43.708Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:03.639Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388", "created": "2022-03-30T20:36:18.656Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:45.328Z", "description": "Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce", "created": "2022-04-01T18:42:50.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:45.524Z", "description": "Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c", "created": "2019-09-23T13:36:08.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:04.101Z", "description": "Starting in 2017, the [Rotexy](https://attack.mitre.org/software/S0411) DEX file was packed with garbage strings and/or operations.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a92a805e-d5f5-4e94-8592-c253e03e4476", "created": "2022-03-31T19:51:15.415Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android Package Visibility", "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022.", "url": "https://developer.android.com/training/package-visibility" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:45.924Z", "description": "Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a93ee044-bd5d-48f3-972e-0abab780c35c", "created": "2023-02-08T20:05:06.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:46.122Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can steal information via malicious JavaScript.(Citation: trendmicro_tianyspy_0122)", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a95fe853-d1d1-47dc-a776-b905daacfe32", "created": "2020-06-26T20:16:32.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:46.339Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) has used Firebase Cloud Messaging for C2.(Citation: ESET DEFENSOR ID) ", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530", "created": "2020-01-27T17:05:58.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:04.614Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of installed applications.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9", "created": "2022-04-01T17:08:15.158Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:46.741Z", "description": "Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC5-WG10-FinalReport) ", "relationship_type": "mitigates", "source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c", "created": "2021-02-17T20:43:52.410Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:04.873Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aa15a167-4c7d-4e69-8c51-5414997ac4e5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--a5942766-8bd2-4747-baaf-a5850f08f550", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0", "created": "2019-09-03T20:08:00.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Group IB Gustuff Mar 2019", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", "url": "https://www.group-ib.com/blog/gustuff" }, { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:47.115Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. [Gustuff](https://attack.mitre.org/software/S0406) can also send push notifications pretending to be from a bank, triggering a phishing overlay.(Citation: Talos Gustuff Apr 2019)(Citation: Group IB Gustuff Mar 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aa210e0c-fa3e-4550-bf71-7ecf85f23ff2", "created": "2026-02-16T16:00:09.368Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:00:09.368Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has registered the following intents to automatically execute MainService on device reboot: `android.intent.action.BOOT_COMPLETED`, `android.intent.action.ACTION_POWER_CONNECTED`, and `android.intent.action.ACTION_POWER_DISCONNECTED`.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0", "created": "2022-04-01T16:52:03.322Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:47.328Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aa468fe9-e580-41da-a888-100a799e8c6b", "created": "2024-04-02T18:59:32.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:47.512Z", "description": "[UNC788](https://attack.mitre.org/groups/G1029) has used phishing and social engineering to distribute malware.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aa490344-f7e0-4e5a-abb1-af9209f15ce4", "created": "2024-03-26T19:36:18.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:47.738Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can receive Command and Control commands from SMS messages.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aa52ab24-5505-49c4-ac4f-924cdcb4d45e", "created": "2026-04-20T13:22:11.065Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Check Point Wirte NOV 2024", "description": "Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.", "url": "https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-20T13:22:11.065Z", "description": "[SameCoin](https://attack.mitre.org/software/S9030) can use `libexampleone.so` to fill selected files with zeros and then deletes them from the file system.(Citation: Check Point Wirte NOV 2024)", "relationship_type": "uses", "source_ref": "malware--4e164a21-3fbe-4aaa-be69-2513fdba90f7", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5", "created": "2019-08-08T18:47:57.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android 10 Privacy Changes", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:47.935Z", "description": "Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device\u2019s default IME.(Citation: Android 10 Privacy Changes) ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443", "created": "2020-07-20T13:49:03.676Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:48.130Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aa65aa77-ce74-49fd-8295-c5b7395a703c", "created": "2025-03-24T20:12:30.934Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:48.335Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected and exfiltrated files from messaging applications, such as Telegram, QQ, WeChat, and Whatsapp, and browser history from Chrome and Safari.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Gooligan Citation", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:05.822Z", "description": "[Gooligan](https://attack.mitre.org/software/S0290) executes Android root exploits.(Citation: Gooligan Citation)", "relationship_type": "uses", "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aad084c4-97ea-4f4b-8d96-d18f57534e01", "created": "2024-03-26T19:38:05.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:48.734Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can communicate with the Command and Control server using HTTPS and Firebase Cloud Messaging (FCM).(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware) ", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" }, { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:48.951Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects contact list information.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920", "created": "2022-04-05T19:46:22.326Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:49.376Z", "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:49.562Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", "target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--abbbe5ea-f96e-42ad-bfbb-6dbbd66fea55", "created": "2026-03-09T15:38:53.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:38:53.607Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has scanned for Wi-Fi networks.(Citation: ESET_VajraSpy_Feb2024) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99", "created": "2017-10-25T14:48:53.742Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Elcomsoft-iOSRestricted", "description": "Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018.", "url": "https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:49.765Z", "description": "iOS 11.4.1 and higher introduce USB Restricted Mode, which disables data access through the device's charging port under certain conditions (making the port only usable for power), likely preventing this technique from working.(Citation: Elcomsoft-iOSRestricted)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--abf03652-acd0-4361-8a66-f7e70e8e4376", "created": "2020-06-02T14:32:31.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:49.959Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) communicates with the C2 server using HTTPS requests.(Citation: Volexity Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f", "created": "2022-03-30T19:28:55.980Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:50.372Z", "description": "Security updates typically provide patches for vulnerabilities that could be abused by malicious applications.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ac415e32-e204-4382-b500-2370cec7a608", "created": "2023-08-16T16:45:58.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-07-07T22:04:27.524Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to download new code at runtime.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:07.159Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77", "created": "2020-06-26T15:32:25.035Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" }, { "source_name": "CheckPoint Cerberus", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:07.347Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect device information, such as the default SMS app and device locale.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ad1cd55e-10a7-4895-bc76-160e2de319cf", "created": "2025-10-08T14:40:37.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:40:37.217Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected files of interest on the device, including WhatsApp files.(Citation: Lookout_DCHSpy_July2025) ", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c", "created": "2019-09-03T19:45:48.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:51.148Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two attempts to connect to port 22011 to provide a remote reverse shell.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ad6fb2ac-9e90-44ef-9e59-a65813eca460", "created": "2026-03-09T15:24:49.309Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:24:49.309Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has collected and exfiltrated the contact list.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa", "created": "2023-02-06T19:05:28.288Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:51.360Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect files from or inspect the device\u2019s filesystem.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e", "created": "2022-03-30T18:07:07.306Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:51.557Z", "description": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ada67532-039d-4b4f-93ab-82ceba13ec56", "created": "2023-07-21T19:53:12.605Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:51.758Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access text message history.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--adbacfe1-1d78-4652-b32c-4d31a0c33ef3", "created": "2025-03-27T22:47:47.614Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:51.962Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has obtained a list of running processes.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--adc9957c-fa57-4e81-9231-b60f01b69859", "created": "2020-12-24T22:04:28.010Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:08.202Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) can download new code to update itself.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ade33114-0204-49af-95c0-988e39e68989", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7ea45fed-cd52-4e26-96d5-31d3fd2c7b22", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee", "created": "2023-07-21T19:51:55.111Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:52.376Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can intercept and imitate phone conversations by breaking the connection and displaying a fake call screen. It can also make outgoing calls and spoof incoming calls.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--adfc0dc7-cdb4-44be-b8d5-2292a95ad654", "created": "2026-02-06T21:30:22.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:30:22.664Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to collect SMS messages.(Citation: ThreatFabric_Crocodilus_March2025)", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--ae8619a9-9142-4f0f-8778-09756341b472", "created": "2024-03-29T15:07:58.597Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:52.779Z", "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version has used certificate pinning for C2 communication.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4", "created": "2024-02-20T23:39:08.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:52.976Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--aed2ecd1-999d-485e-a43c-a1b2965de981", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3ead6ecd-8ecb-40c9-8a73-ee3272bf0deb", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--aed8e8c8-ffea-4134-9951-bdc5bfccbb03", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--91b70fb4-8e86-4dd2-a988-33d64cc46d4e", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415", "created": "2022-03-30T14:50:07.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:53.166Z", "description": "Device attestation could detect unauthorized operating system modifications.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f", "created": "2020-07-15T20:20:59.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:09.165Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--afba6b19-7486-4e5a-8fda-e91852b0b354", "created": "2021-09-20T13:42:21.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:09.408Z", "description": "Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--afc0e8b2-2e85-4640-8517-fb2e16831082", "created": "2023-01-18T19:45:27.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:53.980Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use a WebView with a fake log in site to capture banking credentials.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:09.709Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to record calls as well as the victim device's environment.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--afe9e326-01f7-4296-a11b-09cfffd80120", "created": "2020-07-27T14:14:56.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:09.921Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads and system prompts to create new Google accounts.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b018fe06-740b-4864-b30a-f047598506b3", "created": "2020-04-24T15:06:33.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:10.147Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect various pieces of device information, including OS version, phone model, and manufacturer.(Citation: TrendMicro Coronavirus Updates) ", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b01f11f2-064b-4210-a8f2-f5c6360f64e4", "created": "2024-03-28T18:30:23.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:54.776Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect the device\u2019s information, such as SIM serial number, SIM serial number, etc.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694", "created": "2021-01-05T20:16:20.514Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:10.473Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can list all hidden files in the `/DCIM/.dat/` directory.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b0625604-e4c4-402b-b191-f43137d38d99", "created": "2020-11-20T15:44:57.481Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:55.148Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect sent and received SMS messages.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b0a5a5e8-3815-48eb-bceb-d24ca84417b5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3e6673dc-e2c7-440e-b632-d25e3e9f92cc", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c", "created": "2023-07-21T19:41:31.114Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:55.373Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) has been installed using the package name `com.android.callservice`, pretending to be an Android system service.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69", "created": "2019-10-14T19:14:18.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Group IB Gustuff Mar 2019", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", "url": "https://www.group-ib.com/blog/gustuff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:55.566Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) hides its icon after installation.(Citation: Group IB Gustuff Mar 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b0d88891-f927-482e-980a-83d5512b1ae8", "created": "2025-08-29T22:15:24.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:15:24.225Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has downloaded Google Play Store, Google Play services and Google Services Framework APK to a virtual folder.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee", "created": "2025-03-28T15:10:18.297Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" }, { "source_name": "SecureList OpTriangulation Dec2023", "description": "Larin, B. (2023, December 27). Operation Triangulation: The last (hardware) mystery. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:55.802Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors use the Audio Queue API to record audio.(Citation: SecureList OpTriangulation 23Oct2023)(Citation: SecureList OpTriangulation Dec2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc", "created": "2023-02-28T20:37:01.639Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:56.003Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use `locale.getLanguage()` to choose the language for notifications and avoid user detection.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b110d919-acd4-4fe0-a46a-ac4819508667", "created": "2020-07-20T13:58:53.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:56.234Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has been installed via a malicious configuration profile.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b14a1e23-e1ce-46ec-b4f2-414a13a8b6a7", "created": "2025-10-08T20:24:14.897Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:24:14.898Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to bypass the biometric prompt for unlocking an infected device, forcing the victim to use PIN authentication. To do so, [Chameleon](https://attack.mitre.org/software/S1083) will first check specified conditions, then will use the AccessibilityEvent action to transition from biometric authentication to PIN authentication.(Citation: ThreatFabric_Chameleon_Dec2023) ", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3", "created": "2023-12-18T18:16:45.155Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:56.429Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has abused WhatsApp vulnerability CVE-2019-3568 to achieve initial access.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b19082d2-c151-45dd-8844-82335fbe3ed9", "created": "2023-02-28T21:43:54.880Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:56.621Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can send text messages.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83", "created": "2020-12-24T21:45:56.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:11.615Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can install new applications which are obtained from the C2 server.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b2277deb-0ddb-45a7-9690-4a2168e1026b", "created": "2023-10-10T15:33:59.058Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:57.014Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has masqueraded as fake updates to chat applications such as Facebook, WhatsApp, Messenger, LINE, and LoveChat, as well as apps targeting Middle Eastern demographics.(Citation: Lookout FrozenCell) ", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b22addc1-6a23-4657-8164-3705e12bb95b", "created": "2023-07-21T19:40:41.725Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:57.232Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can use SMS to send C2 commands.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5", "created": "2024-02-21T20:46:00.252Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TelephonyManager", "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:57.432Z", "description": "Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.(Citation: TelephonyManager) ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2", "created": "2020-06-26T15:32:25.062Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:12.220Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain a list of installed applications.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e", "created": "2022-03-30T20:45:34.433Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android Package Visibility", "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022.", "url": "https://developer.android.com/training/package-visibility" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:57.824Z", "description": "Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ArsTechnica-HummingWhale", "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:58.016Z", "description": "[HummingWhale](https://attack.mitre.org/software/S0321) generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, [HummingWhale](https://attack.mitre.org/software/S0321) runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.(Citation: ArsTechnica-HummingWhale)", "relationship_type": "uses", "source_ref": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b2896068-4d54-41e1-b0f2-db9385615112", "created": "2021-01-05T20:16:20.426Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:12.644Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has shown a persistent notification to maintain access to device sensors.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b309c25a-6baf-4874-829d-63712a38652c", "created": "2023-02-06T19:02:16.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:58.427Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself camera permissions.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545", "created": "2019-09-23T13:36:08.429Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:58.665Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. [Rotexy](https://attack.mitre.org/software/S0411) can also send a list of all SMS messages on the device to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b336b44d-1810-4672-8e51-a63e91681907", "created": "2025-03-24T17:56:25.848Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:58.859Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) uses the `landevices` module to enumerate devices on the same WiFi network through active scanning.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Shoshin_Kaspersky LightSpy 2020) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b3442cff-8db5-4850-9fd3-64075e940c0a", "created": "2026-03-09T15:37:16.782Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:37:16.782Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has captured pictures using the device\u2019s camera by requesting for `android.permission.CAMERA`.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--b356d405-f6b1-485b-bd35-236b9da766d2", "created": "2020-04-24T17:46:31.586Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:13.129Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can use the `MediaRecorder` class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0", "created": "2020-10-29T17:48:27.394Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:59.282Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can intercept SMS messages.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab", "created": "2023-01-18T19:58:21.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:59.679Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) has used RSA to encrypt the symmetric encryption key used for C2 messages.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b3a14001-e0c0-4f13-ac03-04e56dc0e312", "created": "2023-10-10T15:33:59.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:50:59.886Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has been incorporated into trojanized applications, including Uyghur/Arabic focused keyboards, alphabets, and plugins, as well as official-looking Google applications.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-WireLurker", "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:13.858Z", "description": "[WireLurker](https://attack.mitre.org/software/S0312) obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.(Citation: PaloAlto-WireLurker)", "relationship_type": "uses", "source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b402664b-a5b4-45e4-832f-02638e6c67a7", "created": "2022-04-01T14:59:17.991Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:00.299Z", "description": "Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary\u2019s access to password stores. ", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213", "created": "2022-04-20T17:31:58.697Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:00.493Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) has exfiltrated data using FTP.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" }, { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:00.731Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) gathers audio from the microphone.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b43c87a7-de40-4673-9808-57c7ffca7b98", "created": "2023-07-21T19:54:21.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:00.936Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) has masqueraded as popular Korean banking apps.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be", "created": "2021-02-17T20:43:52.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:01.128Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has read SMS messages for exfiltration.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1", "created": "2021-10-01T14:42:49.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:14.656Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect the device\u2019s location information based on cellular network or GPS coordinates.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b4735277-516a-4cd2-9607-a3e415945d93", "created": "2020-11-10T17:08:35.800Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:14.910Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can remotely capture device audio.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b477afcb-7449-4fae-b4aa-c512c22d7500", "created": "2020-09-15T15:18:12.394Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:15.679Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can send SMS messages.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd", "created": "2021-02-08T16:36:20.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:01.953Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has installed malicious MDM profiles on iOS devices as part of Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f", "created": "2020-12-17T20:15:22.445Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:15.981Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device\u2019s camera.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b536f233-8c43-4671-b8e8-d72a4806946d", "created": "2022-04-05T17:14:23.789Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:02.375Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b53d1c92-b71f-434e-aa4f-08b8db765248", "created": "2019-07-10T15:25:57.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:16.259Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551", "created": "2021-02-08T16:36:20.698Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:16.443Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included location tracking capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b59b2f10-942b-455e-8166-1c9acb4b6824", "created": "2025-09-18T14:43:44.037Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:43:44.037Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has taken photos and videos using the device\u2019s camera.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070", "created": "2020-12-18T20:14:47.302Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:02.974Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has used Firebase for C2 communication.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b5f3b110-fc66-4369-89f3-621c945d655f", "created": "2020-04-27T16:52:49.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:16.732Z", "description": "[Triada](https://attack.mitre.org/software/S0424) encrypts data prior to exfiltration.(Citation: Google Triada June 2019) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b6323cf4-8141-4910-8743-e42cd15b49e9", "created": "2023-07-21T19:53:59.148Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:03.569Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can send exfiltrated data back to the C2 server.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b641e5b8-5981-452a-99f0-3598c783e5ee", "created": "2019-08-07T15:57:13.443Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:03.786Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can intercept incoming SMS messages.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b6726136-3c20-4921-a0cb-75a66f59107c", "created": "2020-09-11T16:22:03.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:17.203Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect network configuration data from the device, including phone number, SIM operator, and network operator.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-Obad", "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:17.400Z", "description": "[OBAD](https://attack.mitre.org/software/S0286) contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.(Citation: TrendMicro-Obad)", "relationship_type": "uses", "source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34", "created": "2023-08-23T22:48:11.931Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:04.576Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) may prevent application removal by abusing Android\u2019s ` performGlobalAction(int)` API call. ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-DualToy", "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:17.779Z", "description": "[DualToy](https://attack.mitre.org/software/S0315) side loads malicious or risky apps to both Android and iOS devices via a USB connection.(Citation: PaloAlto-DualToy)", "relationship_type": "uses", "source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:18.043Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has the ability to record audio.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b7a31a11-6c84-4c28-a548-4751e4d71134", "created": "2020-05-04T14:04:56.158Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:05.165Z", "description": "[Bread](https://attack.mitre.org/software/S0432) can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10", "created": "2023-03-03T15:36:15.840Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:05.382Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can access device call logs.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87", "created": "2021-01-05T20:16:20.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:18.425Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect device photos and credentials from other applications.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b7df5791-eff5-48f2-8111-1460d6066f53", "created": "2026-02-06T21:26:40.302Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:26:40.302Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has taken a screenshot of the Google Authenticator application using its Accessibility Logging feature. The authentication codes are then sent to the C2 server.(Citation: ThreatFabric_Crocodilus_March2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f", "created": "2020-10-29T19:01:13.839Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:05.786Z", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) can prevent the user from interacting with the UI by using a carefully crafted \"call\" notification screen. This is coupled with overriding the `onUserLeaveHint()` callback method to spawn a new notification instance when the current one is dismissed. (Citation: Microsoft MalLockerB)", "relationship_type": "uses", "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "HackerNews-Allwinner", "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.", "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:05.987Z", "description": "A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.(Citation: HackerNews-Allwinner)", "relationship_type": "uses", "source_ref": "malware--08784a9d-09e9-4dce-a839-9612398214e8", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a", "created": "2023-09-28T17:26:10.893Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:06.180Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can manipulate a device\u2019s call log, including deleting incoming calls.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b8606318-8c12-4381-ba33-5b2321772ea0", "created": "2022-03-30T20:31:57.183Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:06.393Z", "description": "Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b8879a8a-84ff-4625-b487-7922d8a1b6a6", "created": "2025-03-28T15:12:41.595Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:06.578Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have collected and exfiltrated data from WhatsApp and Telegram.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad", "created": "2021-09-24T13:59:11.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:06.780Z", "description": "The user should become familiar with social engineering tactics that ask for Personally Identifiable Information (PII). Additionally, the user should include the use of hardware tokens, biometrics, and other non-SMS based authentication mechanisms where possible. Finally, the user should enable SIM swapping protections offered by the mobile carrier, such as setting up a PIN or password to authorize any changes to the account. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b9330b2b-10cb-401a-8264-c6a0a1f44882", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--34d06ebf-867e-4cd2-8e44-c849fcaab072", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98", "created": "2023-09-28T17:39:35.622Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:06.992Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) has used infected applications with Facebook login prompts to steal credentials.(Citation: Trend Micro FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c", "created": "2022-04-01T16:51:20.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:07.185Z", "description": "Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b9920bae-9bcc-41ea-92c4-cdf40d9f3506", "created": "2026-02-16T16:02:25.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-23T02:04:41.784Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to collect location information and to start/stop location information from being sent to the C2 server.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc", "created": "2020-06-02T14:32:31.871Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:19.584Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49", "created": "2020-12-24T22:04:28.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:19.803Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has checked for system root.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51", "created": "2020-12-14T14:52:03.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:07.816Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ba116807-ef1c-4621-84c8-9921fa7b735e", "created": "2023-09-28T17:19:21.499Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:08.004Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can request the `GET_ACCOUNTS` permission to get the list of accounts on the device, and can collect media files.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6", "created": "2020-07-15T20:20:59.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:20.262Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect the device\u2019s location.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae", "created": "2020-11-10T17:08:35.746Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:20.472Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d", "created": "2020-07-15T20:20:59.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:20.713Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can obtain a list of installed applications.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bae8eb3a-d11c-4a18-82a9-d3657dfa1b85", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0bd280ab-7977-4ef9-b577-6c6a6014b179", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106", "created": "2020-12-14T14:52:03.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:21.040Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has stored data embedded in the strings.xml resource file.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630", "created": "2020-07-15T20:20:59.300Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:09.436Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bb3bd38c-0b82-4c58-8e25-2fbab235a551", "created": "2025-03-28T14:50:49.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:09.664Z", "description": "(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:21.601Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers device model and operating system version information and transmits it to a command and control server.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bb6e0232-8205-4ae8-80a8-659d33056ac8", "created": "2025-10-22T21:37:29.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-22T21:37:29.274Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has exfiltrated credentials collected from pictures that have been analyzed using optical character recognition (OCR).(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387", "created": "2023-06-09T19:09:30.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:10.067Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can gather device call logs.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402", "created": "2021-10-01T14:42:49.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:10.271Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect SMS messages.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bba8b056-acbe-4fed-b890-965a446d7a3c", "created": "2022-04-01T18:45:00.923Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:10.474Z", "description": "Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af", "created": "2023-01-18T21:20:01.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:10.680Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use HTTP to send C2 messages to infected devices.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bbd619c8-bd9a-4107-a60f-7a3a9f953735", "created": "2024-03-28T18:32:33.555Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_strongpity", "description": "Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.", "url": "https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html" }, { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:10.879Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to exfiltrate to the C2 server using HTTPS.(Citation: welivesec_strongpity)(Citation: trendmicro_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1", "created": "2020-11-24T17:55:12.887Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:22.386Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the device\u2019s model, country, and Android version.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:11.287Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via binary SMS.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:22.970Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can copy files from the device to the C2 server.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bc656065-d207-456e-a343-ea778ece5f69", "created": "2025-08-29T22:00:15.784Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:00:15.784Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has abused the accessibility service to prevent the user from uninstalling [GodFather](https://attack.mitre.org/software/S1231), to exfiltrate Google Authenticator one-time passwords and to steal credentials.(Citation: MerkleScience_Godfather_April2023)", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8", "created": "2019-11-21T16:42:48.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:12.331Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can delete arbitrary files from the device.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bc870a55-5499-4146-91ef-ea74647c3e10", "created": "2023-07-12T20:50:03.159Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:12.520Z", "description": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a", "created": "2022-03-30T19:54:43.835Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:12.725Z", "description": "Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19", "created": "2021-02-17T20:43:52.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:23.743Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved account information for other applications.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8", "created": "2022-04-15T15:57:32.958Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:13.123Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can enable app installation from unknown sources.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bd29ce15-1771-470c-a74b-5ea90832ce23", "created": "2020-12-24T22:04:27.911Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:13.331Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected SMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bd351b17-e995-4528-bbea-e1138c51476a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:24.193Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c", "created": "2020-09-11T14:54:16.646Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:13.775Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can hide its icon.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bd696eda-b2a2-4114-9e6b-b9e9ce5d2de7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--bc10fb75-db07-4ace-843c-8bcfd4044a90", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--bd6f13e7-9d64-4d88-adf0-d49afdc0370b", "created": "2026-02-16T15:46:25.758Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T15:46:25.758Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has masqueraded as a VPN application, using the same package name (` com.bycomsolutions.bycomvpn `) and having similar file structure, metadata and code routines as the legitimate application.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9", "created": "2022-04-01T13:19:41.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:13.962Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1", "created": "2023-01-18T19:13:15.991Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:14.166Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) has code to use Firebase Cloud Messaging for receiving C2 instructions.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f", "created": "2019-09-04T15:38:56.799Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:24.648Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record video.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f", "created": "2023-08-23T22:17:13.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:14.751Z", "description": "Security updates frequently contain patches to vulnerabilities. ", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--be05e26b-4c1c-4c64-9d84-c8835e0b37b4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--545bde30-2b8c-47d3-bd34-fa188348b967", "target_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--be07d829-9a12-4d90-ad8c-9e56782af120", "created": "2023-12-18T19:05:57.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:14.942Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can record audio using a device\u2019s microphone.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--be136fd1-6949-4de6-be37-6d76f8def41a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:25.202Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests location data from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--be17dc63-5b0a-491a-be5f-132058444c3a", "created": "2019-08-09T17:52:13.352Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:25.445Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to take pictures using the device camera.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce", "created": "2019-09-04T14:28:15.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:25.659Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) queries the device for metadata such as make, model, and power levels.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--be27a303-5748-4b72-ba69-a328e2f6cc08", "created": "2020-12-31T18:25:05.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:25.843Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can download new modules while running.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--be39c012-7201-4757-8cd6-c855bc945a9e", "created": "2019-07-10T15:25:57.623Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:26.087Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--be526f3a-480f-4ede-b772-2b29b8a3ca2b", "created": "2024-03-28T18:33:20.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:16.169Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to exfiltrate encrypted data to the C2 server.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137", "created": "2023-09-28T17:20:15.010Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:16.576Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can access external storage.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c", "created": "2020-06-26T14:55:13.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:26.664Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. [EventBot](https://attack.mitre.org/software/S0478) also utilizes ProGuard to obfuscate the generated APK file.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:26.871Z", "description": "[Charger](https://attack.mitre.org/software/S0323) encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bee919a6-c488-49a0-9848-fff19aa2c276", "created": "2021-09-24T14:47:34.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:27.315Z", "description": "Mobile security products can often detect rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bef936d5-736e-491a-9c30-37b8362a5d96", "created": "2023-07-21T19:33:48.439Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:17.382Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can access device call logs.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2", "created": "2023-09-28T17:19:51.110Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:17.578Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can access the device\u2019s call log.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bf02dea9-17cb-41f8-b362-c3081da81199", "created": "2025-03-28T14:58:01.536Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:17.780Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors collected device and user information.(Citation: SecureList OpTriangulation 01Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8", "created": "2019-09-04T15:38:56.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:17.976Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses root access to establish reboot hooks to re-install the application from `/data/misc/adn`.(Citation: FortiGuard-FlexiSpy) At boot, [FlexiSpy](https://attack.mitre.org/software/S0408) spawns daemons for process monitoring, call monitoring, call managing, and system.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:27.876Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can activate the victim's microphone.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db", "created": "2023-09-21T22:51:40.666Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Scott-Railton_TheCitizenLab Pegasus Apr2022", "description": "Scott-Railton, J., et al. (2022, April 18). Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru. Retrieved April 18, 2024.", "url": "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:18.376Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) can compromise iPhones running iOS 16.6 without any user interaction.(Citation: Scott-Railton_TheCitizenLab Pegasus Apr2022)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bf901bab-3caa-4d05-a859-d9fb4d838304", "created": "2019-10-10T15:27:22.091Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:28.171Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses browser history, pictures, and videos.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962", "created": "2022-03-30T19:54:07.548Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:18.981Z", "description": "Device attestation could detect devices with unauthorized or unsafe modifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c0121974-44ba-425d-9445-2d6598a5bc66", "created": "2025-08-29T21:56:42.565Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-12T20:59:15.937Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has abused the Accessibility Service to mimic victims\u2019 actions and to redirect victims to its StubActivity when the victims attempt to use the original, legitimate banking application.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95", "created": "2019-10-18T15:51:48.525Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:28.872Z", "description": "Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c04d6143-6878-47b4-8be7-b205c3942b1d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--bce77859-548a-4ee7-8002-a05b182bb5ae", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e", "created": "2025-03-24T20:10:08.651Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:19.775Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s GPS location.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c056b1d4-c70b-403e-b396-18840865ca7d", "created": "2024-02-20T23:50:47.088Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:19.978Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device\u2019s IMEI, phone number, and IP address.(Citation: Threat Fabric Exobot) ", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c0d2e769-fb30-4aba-a39d-875e6926513a", "created": "2025-09-18T14:39:15.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:39:15.185Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has deleted files on the device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c0d66439-0ae4-4565-8b3a-e92e48e8d3c1", "created": "2026-02-06T21:29:31.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:29:31.339Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to collect the contact list.(Citation: ThreatFabric_Crocodilus_March2025)", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c0f03d23-03d6-4457-b783-792d1b8f2994", "created": "2024-08-20T19:09:27.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mandiant_apt44_unearthing_sandworm", "description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.", "url": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:20.172Z", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) can collect encrypted Telegram and Signal communications.(Citation: mandiant_apt44_unearthing_sandworm)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c130e347-38ab-48fd-8779-946477e53dfa", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c6c7da3e-4366-473e-af4e-3cc67d8ea1fa", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c", "created": "2022-04-06T15:52:07.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:20.380Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd", "created": "2020-12-24T21:41:37.047Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:20.582Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c1512591-7440-4a69-93b9-fe439a4c197e", "created": "2022-03-28T19:40:40.860Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:20.781Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c15acd70-6527-4788-baa9-51a11b996164", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--6e373a06-358b-4078-a8ab-1f5c1730ddf4", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c16c7904-3c85-49de-a0f4-872f4227d775", "created": "2023-10-10T15:33:59.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:20.976Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) was embedded into legitimate applications using Smali injection.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6", "created": "2023-07-21T19:36:09.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:21.171Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can take photos using the device cameras.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6", "created": "2024-03-01T18:54:39.815Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Leonard TAG 2023", "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.", "url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:21.383Z", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used SMS-based phishing to target victims with malicious links.(Citation: Leonard TAG 2023)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c1cafa91-9891-4e65-b75d-d83ef6838653", "created": "2023-12-18T18:13:02.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:21.578Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can use tailored overlay pages to steal PINs for banking applications.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c1d853f3-660d-4c65-a977-3823d4d5ecd3", "created": "2026-03-09T15:35:06.322Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:35:06.322Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has collected messages in WhatsApp, WhatsApp Business, and Signal.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad", "created": "2021-10-01T14:42:49.159Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:22.158Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can utilize the device\u2019s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen\u2019s brightness as low as possible and muting the device.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae", "created": "2021-02-17T20:43:52.407Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:30.689Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has gathered the device manufacturer, model, and serial number.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c2a684c0-29ad-4c5b-86c0-ef8be9c5d796", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--12414f0e-85ca-4403-873a-6d415c2020f4", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c30d659c-dd17-4fb0-9b88-2f29427f273b", "created": "2025-06-16T17:28:37.128Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SahinSRLabs_FluBot_Dec2021", "description": "\u015eahin, Erdo\u011fan Ya\u011f\u0131z. (2021, December 21). When your phone gets sick: FluBot abuses Accessibility features to steal data. Retrieved April 16, 2025.", "url": "https://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-16T17:28:37.128Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) abuses accessibility features in three ways: steal application credentials, evade detection and removal, and send SMS for lateral movement.(Citation: SahinSRLabs_FluBot_Dec2021) ", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d", "created": "2023-12-18T19:05:04.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:22.570Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can obtain device info such as manufacturer, device ID, OS version, and country.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4", "created": "2020-09-15T15:18:12.362Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:22.981Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect SMS messages.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6", "created": "2020-10-29T17:48:27.332Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:31.315Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device\u2019s IMEI, phone number, and IP address.(Citation: Threat Fabric Exobot) ", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c374c9ce-ff30-4daa-bdec-8015a507746a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:31.547Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) has a capability to obtain files from other installed applications.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:24.171Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2", "target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c3e1aa57-a721-488f-8ac7-4fcb0f987153", "created": "2025-08-29T21:58:20.970Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" }, { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T21:58:20.970Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has gathered a list of installed applications.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c40cba48-7714-4d03-b748-cadd03360e7a", "created": "2024-02-20T23:55:33.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:24.377Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c41d817e-913e-4574-b8d4-370de9f0034b", "created": "2019-11-18T14:47:25.327Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" }, { "source_name": "Kaspersky Triada March 2016", "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", "url": "https://www.kaspersky.com/blog/triada-trojan/11481/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:24.599Z", "description": "[Triada](https://attack.mitre.org/software/S0424) injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada March 2016)", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77", "created": "2022-04-06T15:52:41.579Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:24.804Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd", "created": "2020-05-04T14:04:56.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:32.586Z", "description": "[Bread](https://attack.mitre.org/software/S0432) has used native code in an attempt to disguise malicious functionality.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c4d4bb09-4732-40fb-82f5-7e38390abebe", "created": "2026-02-16T16:06:21.275Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:06:21.275Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to delete files and directories.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c4d71eb8-2099-44b9-be45-758f9e6a771a", "created": "2023-10-10T15:33:57.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:25.634Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has masqueraded as a client of popular free ads services.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4", "created": "2020-09-11T15:57:37.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:32.864Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can delete SMS messages.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c", "created": "2021-01-05T20:16:20.508Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:26.022Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect the device\u2019s call logs.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:26.240Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16", "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c546dd04-2060-44bf-ba1e-d1c1edc54687", "created": "2023-10-10T15:33:58.973Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:26.466Z", "description": "[SimBad](https://attack.mitre.org/software/S0419) was embedded into legitimate applications.(Citation: CheckPoint SimBad 2019)", "relationship_type": "uses", "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c574251b-93ad-4f55-8b84-2700dfab4622", "created": "2020-07-15T20:20:59.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:26.681Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can hide its icon on older Android versions.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c", "created": "2019-09-04T15:38:56.946Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:33.496Z", "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can retrieve a list of installed applications.(Citation: FlexiSpy-Features) ", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c5913e23-7fbc-4f46-b9a0-dbeafd4e693d", "created": "2026-03-09T15:19:41.531Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:19:41.531Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has used a romance trap scam to convince victims into downloading the trojanized application.(Citation: ESET_VajraSpy_Feb2024) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429", "created": "2022-04-01T18:51:28.859Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:27.079Z", "description": "Security updates frequently contain patches to vulnerabilities that can be exploited for root access.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2", "created": "2019-11-21T16:42:48.497Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:33.879Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can take photos from both the front and back cameras.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081", "created": "2019-09-04T14:28:16.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:34.151Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can track the device's location.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c6464a84-e23b-412f-b435-5b23853d3643", "created": "2020-09-14T13:35:45.909Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:27.879Z", "description": "[Twitoor](https://attack.mitre.org/software/S0302) encrypts its C2 communication.(Citation: ESET-Twitoor)", "relationship_type": "uses", "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:28.078Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) captures call data.(Citation: Zscaler-SuperMarioRun)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695", "created": "2020-09-11T16:23:16.363Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:34.607Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can send SMS messages.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c6758ea0-3343-4707-b563-69b901f90745", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--9bfe6e65-c691-44fa-9d00-bf7fd5e6479f", "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c", "created": "2025-03-24T14:57:15.065Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:28.497Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) can execute an automated phone call.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c6770405-985b-4e24-8b09-01bce16426da", "created": "2024-03-26T16:17:26.152Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:28.709Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects the device\u2019s location through GPS or through network settings.(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8", "created": "2024-03-26T18:42:43.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/" }, { "source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:29.098Z", "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) sends malicious links to victims to download the masqueraded application.(Citation: sophos_android_apt_spyware)(Citation: checkpoint_hamas_android_malware) ", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c6d7f454-8dc1-4928-a668-f71aba491e45", "created": "2025-08-29T22:07:08.828Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" }, { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-08T14:34:29.099Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has the ability to gain remote control of the victim device and to gather data associated with the device, including battery level, sound settings, and device brightness.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) [GodFather](https://attack.mitre.org/software/S1231) has also obtained the phone's state, including network information, phone number, and serial number.(Citation: MerkleScience_Godfather_April2023) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f", "created": "2020-06-24T18:24:35.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:29.338Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can extract the device\u2019s keychain.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9", "created": "2023-12-18T19:04:11.534Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:29.540Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can register with the `CONNECTIVITY_CHANGE` and `WIFI_STATE_CHANGED` broadcast events to trigger further functionality.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c773998e-a140-4498-827a-573df96e4331", "created": "2024-03-26T19:29:40.690Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/" }, { "source_name": "Cyware APT-C-23 2020", "description": "Cyware. (2020, October 2). APT\u2011C\u201123 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024.", "url": "https://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4" }, { "source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/" }, { "source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" }, { "source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:29.761Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) has masqueraded as legitimate messaging applications.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c7b0fddc-939f-44e7-8a78-b15ff0afaf67", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3115adee-e3f8-498a-9bb2-47983e404ce8", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c", "created": "2024-02-21T22:05:29.733Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:30.367Z", "description": "Ensure that traffic is encrypted to reduce adversaries\u2019 ability to intercept, decrypt and manipulate traffic. ", "relationship_type": "mitigates", "source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb", "created": "2023-02-06T19:00:42.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:30.578Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can access a device's location.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd", "created": "2022-04-01T15:03:02.553Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:30.780Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c836cf05-3e52-4b6e-8ade-a3e620dd32ad", "created": "2025-08-29T22:03:53.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:03:53.396Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `CALL_PHONE` permission to initiate phone calls.(Citation: MerkleScience_Godfather_April2023)", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:30.992Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used SMS to receive command and control messages.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0", "created": "2021-10-01T14:42:48.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:36.164Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c86918a3-6e41-4dfb-8b18-650fff596801", "created": "2020-09-11T16:22:03.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:36.359Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect device photos, PDF documents, Office documents, browser history, and browser bookmarks.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c877df57-0b8b-4286-aebb-6cca709638f3", "created": "2025-03-24T15:00:09.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:31.611Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the Tencent Push Notification Service to receive commands from the C2 server.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f", "created": "2020-06-26T15:12:40.100Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:32.029Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the `android.accessibilityservice.AccessibilityService` intent.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee", "created": "2023-12-18T18:16:16.811Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:32.242Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has been distributed using phishing techniques, such as push notifications from compromised websites.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9", "created": "2022-03-28T19:32:05.234Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:32.631Z", "description": "Application developers should be cautious when selecting third-party libraries to integrate into their application.", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c91d3d41-2862-4a64-a29e-8c36dad06382", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c2155dfa-140f-4da9-bfe8-61481a9693c0", "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31", "created": "2022-04-06T13:41:17.517Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:33.030Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140", "created": "2023-09-25T19:54:37.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:33.285Z", "description": "When devices are enrolled in an EMM/MDM using device owner (iOS) or fully managed (Android) mode, the EMM/MDM can collect a list of installed applications on the device. An administrator can then act on, for example blocking, specific remote access applications from being installed on managed devices. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:33.541Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2", "created": "2020-09-15T15:18:12.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:33.732Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device\u2019s network information.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1", "created": "2024-02-21T21:05:12.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:33.923Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ca486783-9413-4f39-8d2f-3adcb3e79127", "created": "2020-12-24T21:55:56.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:37.829Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. \u2018GoogleMusic.png\u2019) for holding configuration and C2 information.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e", "created": "2019-09-23T13:36:08.386Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:38.011Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects the device's IMEI and sends it to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ca568149-9971-4d15-b3db-ff7dabd49695", "created": "2023-07-21T19:37:16.030Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:34.721Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can capture keystrokes.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59", "created": "2020-11-24T18:18:33.743Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:34.918Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) has used web injects to capture users\u2019 credentials.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506", "created": "2020-11-20T16:37:28.567Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:38.546Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has encrypted exfiltrated data using AES in ECB mode.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cacc0b72-9d73-4381-90e9-545ba908722c", "created": "2019-09-15T15:35:33.215Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:38.774Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) injects the global action `GLOBAL_ACTION_BACK` to mimic pressing the back button to close the application if a call to an open antivirus application is detected.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cb2fcc6e-2728-4961-96f4-583e24c45e28", "created": "2025-06-25T15:35:12.240Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-25T15:35:12.240Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has used a commercial packer named Jiagubao to evade static detection.(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cb5465c0-a577-45b1-becf-305e0bd47497", "created": "2023-08-23T22:49:18.075Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:35.558Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) may prevent malware's uninstallation by abusing Android\u2019s ` performGlobalAction(int)` API call.", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f", "created": "2023-07-21T19:42:12.649Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:35.771Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can inject malicious packages into applications already existing on an infected device.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c", "created": "2022-04-01T18:48:03.156Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:35.965Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985", "created": "2023-08-04T18:34:07.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:36.156Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate compressed ZIP files containing gathered info to C2 infrastructure.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1", "created": "2020-10-29T17:48:27.175Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:36.379Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can lock the device with a password and permanently disable the screen.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cbf17fea-141e-44b8-831c-b3cc41066420", "created": "2021-01-20T16:01:19.409Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Anubis", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:39.476Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can download attacker-specified APK files.(Citation: Trend Micro Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cc0b8984-f561-4453-a2be-9be8bd62561e", "created": "2023-09-28T17:21:45.855Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:36.811Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can monitor a device\u2019s notifications.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cc345ae4-0d60-4f21-98b3-596c15118745", "created": "2023-02-06T19:42:46.814Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:37.008Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can send SMS messages.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a", "created": "2019-11-21T19:16:34.796Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:37.234Z", "description": "[SimBad](https://attack.mitre.org/software/S0419) hides its icon from the application launcher.(Citation: CheckPoint SimBad 2019)", "relationship_type": "uses", "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398", "created": "2024-02-20T23:48:31.513Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:37.446Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cc49561f-8364-4908-9111-ad3a6dcd922c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:40.059Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d", "created": "2021-02-08T16:36:20.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:40.255Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application\u2019s launcher icon file.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cc81b56c-cf73-4307-b950-e80246985195", "created": "2019-10-18T14:50:57.473Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:38.068Z", "description": "OS security updates typically contain exploit patches when disclosed.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ccb6f906-a785-4695-91a5-f1bc210892dc", "created": "2023-08-04T18:35:55.269Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:38.273Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate collected data as a ZIP file.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cce1848e-5f32-429a-8c9d-e32367052675", "created": "2024-03-26T16:15:44.920Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "blackberry_mobile_malware_apt_esp", "description": "BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf" }, { "source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:38.472Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) masquerades as legitimate applications.(Citation: forcepoint_bitter)(Citation: blackberry_mobile_malware_apt_esp) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cce49043-52b0-407c-b4f0-0f4727351d4b", "created": "2024-01-26T17:36:52.812Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:38.687Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) requests overlay permissions, which can allow it to create fake Login screens for other apps.(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c", "created": "2019-12-10T16:07:41.078Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:40.820Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) attempts to gain root access by using local exploits.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cce82a76-5390-473d-9e7c-9450d1509d1d", "created": "2020-07-15T20:20:59.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:41.019Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can download its second (Loader) and third (Core) stages after the dropper is installed.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ccf741d0-9a3d-4b37-822e-a74267032279", "created": "2025-08-29T22:01:27.430Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:01:27.431Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has generated fake notifications to lure the victim to phishing pages.(Citation: MerkleScience_Godfather_April2023) ", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac", "created": "2020-01-27T17:05:58.237Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:41.339Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s battery level, network operator, connection information, sensor information, and information about the device\u2019s storage and memory.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328", "created": "2022-03-30T19:34:09.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:39.485Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cd13a6b2-2edf-4b2e-a8e3-3ed11b48a6de", "created": "2025-09-08T16:36:01.835Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-08T16:36:01.835Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2", "created": "2025-03-24T20:28:22.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:39.725Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has a plugin that can take screenshots.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cd440baa-9989-486e-b34b-d9469ffc79a5", "created": "2024-03-26T19:35:37.865Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:39.923Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can take record and take screenshots of the victim device.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware) ", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:40.119Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests contact lists from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3", "created": "2020-01-27T17:05:58.215Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:41.909Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of running processes.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cd7a2294-1e14-42e8-b870-d99d73443b88", "created": "2022-04-01T12:37:42.068Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:40.532Z", "description": "Users should be taught the danger behind granting unnecessary permissions to an application and should be advised to use extra scrutiny when an application requests them. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3", "created": "2025-03-28T14:52:26.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:40.734Z", "description": "(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cda58372-ae70-4716-8baf-cc06cb884ad6", "created": "2020-12-24T22:04:28.015Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:42.652Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of installed application names.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357", "created": "2020-12-17T20:15:22.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:42.865Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can track the device\u2019s location.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cde60121-3d7c-47c8-abeb-582854425599", "created": "2020-07-20T13:27:33.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:43.054Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can update the running malware.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cdf06664-903e-499b-86b4-b7bcce3c0740", "created": "2023-09-28T17:20:27.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:41.963Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can modify, send, and delete SMS messages.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625", "created": "2022-03-31T16:33:55.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:42.158Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef", "created": "2020-07-27T14:14:56.993Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:42.382Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ce5e7227-bf1d-4d73-9c90-efc37a2c6521", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--a7e4704b-4286-4928-88df-d0c151432495", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--ce645a25-160f-443d-b288-fdd108b78a06", "created": "2020-09-11T16:22:03.269Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:42.797Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s call log.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe", "created": "2017-10-25T14:48:53.746Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:43.003Z", "description": "A locked bootloader could prevent unauthorized modifications to protected operating system files. ", "relationship_type": "mitigates", "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd", "created": "2019-07-10T15:35:43.699Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:43.908Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) captures audio from the device microphone.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cea30219-a255-43ae-b731-9512c5044523", "created": "2022-04-18T19:46:02.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:43.428Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cea64a5c-1a69-4714-a6b9-2c6764f1fcab", "created": "2025-10-08T14:42:37.400Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:42:37.400Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has compressed and encrypted collected data with a password from the C2 server.(Citation: Lookout_DCHSpy_July2025) ", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c", "created": "2020-01-27T17:05:58.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:44.220Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record audio and phone calls.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ceea7970-a921-4c59-9e28-de76af1d92fb", "created": "2026-02-06T21:26:11.799Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:26:11.799Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has requested for Accessibility Service to be enabled. Upon approval, [Crocodilus](https://attack.mitre.org/software/S9004) has connected to the C2 server to receive instructions, has continuously monitored Accessibility events, and has captured elements, such as wallet keys, displayed on the device screen.(Citation: ThreatFabric_Crocodilus_March2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--cf056f03-bc7b-4630-8673-ee1a9f2a64f0", "created": "2026-03-09T15:22:22.373Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:22:22.373Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has masqueraded as messaging and news applications.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a", "created": "2019-08-09T17:53:48.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:44.399Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can capture photos using the front and back cameras.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c", "created": "2023-09-28T17:21:26.448Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:44.026Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can use VNC to remotely control an infected device.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca", "created": "2019-09-03T19:45:48.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:44.290Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two collects a list of nearby base stations.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cf70a7c5-1118-4d19-8c83-63a86b233917", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--395c6e70-21f8-4613-bdec-96ecba03a5b4", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8", "created": "2024-02-20T23:57:43.867Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:44.893Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5", "created": "2023-07-12T20:35:36.527Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:45.090Z", "description": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:45.286Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole contact list data stored both on the the phone and the SIM card.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d01b311d-8741-4b58-b127-88fecb2b0544", "created": "2020-04-08T15:41:19.448Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:45.493Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) has a keylogger that works in every application installed on the device.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d056308f-dca7-493e-b152-6f77fa13155d", "created": "2023-12-18T18:17:05.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:45.718Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has collected account information from compromised devices.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e", "created": "2023-09-21T19:37:30.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:45.915Z", "description": "Some mobile security products offer a loopback VPN used for inspecting traffic. This could proactively block traffic to websites that are known for phishing or appear to be conducting a phishing attack.", "relationship_type": "mitigates", "source_ref": "course-of-action--78671282-26aa-486c-a7a5-5921e1616b58", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad", "created": "2022-04-05T19:45:03.117Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:46.102Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2", "created": "2020-09-11T15:53:38.453Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:45.804Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can automatically reply to SMS messages, and optionally delete them.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b", "created": "2020-12-24T21:45:56.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:46.029Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has access to the device\u2019s location.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d", "created": "2020-01-21T15:30:39.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:46.256Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can download attacker-specified files.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d1318f71-7f70-4820-a3fc-0d05af038733", "created": "2021-10-01T14:42:49.154Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:46.914Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can perform actions when one of two hardcoded magic SMS strings is received.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d13724d0-a5e2-433b-86bf-ead04359edec", "created": "2022-04-01T15:13:10.022Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "iOS Universal Links", "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020.", "url": "https://developer.apple.com/ios/universal-links/" }, { "source_name": "Android App Links", "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020.", "url": "https://developer.android.com/training/app-links/verify-site-associations" }, { "source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:47.125Z", "description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d1a78380-2464-4906-8709-237ff3306225", "created": "2026-02-06T21:30:48.428Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:30:48.428Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to request device administrator permissions.(Citation: ThreatFabric_Crocodilus_March2025)", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3", "created": "2023-02-28T20:31:31.983Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:47.583Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can intercept SMS messages and USSD messages from Telcom operators.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d2210d87-3bd9-4455-b1de-2ff3772172ce", "created": "2026-03-09T15:33:56.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:33:56.116Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has used Firebase and Google Cloud Storage to send and receive C2 communications and to send collected data.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e", "created": "2019-09-03T19:45:48.489Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:47.971Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract the GPS coordinates of the device.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc", "created": "2019-09-04T14:28:15.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:48.170Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve calendar event information including the event name, when and where it is taking place, and the description.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d2304825-cd71-4d74-ab9c-0f4ad510cad3", "created": "2025-03-27T22:48:46.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:48.377Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has collected the device\u2019s phone number and IMEI.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d2749285-47d9-44a4-962f-9215e6fb580e", "created": "2020-10-29T17:48:27.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:48.567Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can access the device\u2019s contact list.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38", "created": "2022-04-01T18:43:25.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:48.785Z", "description": "System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d3007886-00d1-4796-83da-f8ff26f4ac52", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0c7e55b4-57b2-4a0f-ba0e-f50eab1a95f0", "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d300eb82-5ca0-48aa-a45f-d34242545e27", "created": "2022-03-30T15:08:28.814Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:48.983Z", "description": "Device attestation could detect unauthorized operating system modifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d3129d65-5d7f-434b-b2c7-043a6d8488e7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b76b67bc-d38b-4b63-a0d0-ebfc7f829db6", "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d32003ba-959b-4377-aa04-f75275c32abf", "created": "2019-07-16T14:33:12.144Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:49.173Z", "description": "[Triada](https://attack.mitre.org/software/S0424) utilized HTTP to exfiltrate data through POST requests to the command and control server.(Citation: Google Triada June 2019) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb", "created": "2020-09-11T16:22:03.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:49.370Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s cell tower information.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c", "created": "2023-10-10T15:33:58.621Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:49.571Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) masquerades as local postal service applications.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d3aa489f-35e9-4f9c-b710-6c77f0eff18e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--132ead25-5d93-4616-9847-a4c37d33d3e6", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc", "created": "2024-02-21T20:50:38.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:49.776Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d3d901d7-1ddd-476c-af65-15a1affc422f", "created": "2024-03-26T19:03:58.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:49.981Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can capture pictures and videos.(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d3e06522-2a30-4d56-801e-9461178b80ce", "created": "2021-01-05T20:16:20.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:50.180Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can hide its icon after launch.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0", "created": "2023-02-06T19:42:34.537Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:50.375Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can resist removal by going to the home screen during uninstall.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d4154247-90ce-43b9-8c17-5c28f67617f5", "created": "2020-12-24T21:55:56.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:48.271Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed browser history, as well as the files for 15 other apps.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be", "created": "2024-02-21T00:01:21.483Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:50.978Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect network configuration data from the device, including phone number, SIM operator, and network operator.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c", "created": "2023-03-03T16:24:30.564Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:51.173Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has hijacked normal application\u2019s launch routines to display ads.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d499cfc8-d5f8-4e05-ad82-a18d2823c558", "created": "2025-03-12T22:10:11.013Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:51.392Z", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has been distributed via email, SMS and other messaging applications.(Citation: Promon FjordPhantom Oct2024) ", "relationship_type": "uses", "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d4a5a902-231e-4878-ad5b-39620498b018", "created": "2019-09-04T14:28:15.941Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:48.813Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can record audio from the device's microphone and can record phone calls, specifying the output audio quality.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d4c4da6c-54ad-4fbd-9944-e6b82a1bc4e0", "created": "2026-02-16T15:47:45.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T15:47:45.181Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has used phishing messages (smishing) and emails to gain initial access to devices.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d51b73d7-ebfe-48e5-ac85-3980c9bd3cbc", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c2133628-efa0-4bb0-9f9a-a475ec6a52e7", "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c", "created": "2020-12-18T20:14:47.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:48.992Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has collected the device\u2019s phone number and can check if the active network connection is metered.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Xiao-ZergHelper", "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:49.209Z", "description": "[ZergHelper](https://attack.mitre.org/software/S0287) attempts to extend its capabilities via dynamic updating of its code.(Citation: Xiao-ZergHelper)", "relationship_type": "uses", "source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078", "created": "2023-08-04T18:32:39.763Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:52.374Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can access a device\u2019s camera and take photos.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d562ed4d-ac4d-476b-872e-9e228c580889", "created": "2020-11-20T16:37:28.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:49.628Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can obtain a list of installed applications.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a", "created": "2020-11-10T17:08:35.713Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:49.806Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can collect notes and data from the MiCode app.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d59da983-c521-47b6-83ab-435f7d58611d", "created": "2019-11-21T16:42:48.493Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" }, { "source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:53.002Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP requests for C2 communication.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d5c8eba4-3954-40c7-b800-afa6bc1105c9", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--10403bf9-7ba1-427a-9320-b4069d2c2eff", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a", "created": "2023-03-03T16:25:09.978Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:53.324Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is believed to have initially infected devices using internet traffic hijacking to generate abnormal popups.(Citation: paloalto_yispecter_1015) ", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d622d417-6439-40e8-ac3b-10463beeeb8f", "created": "2025-10-08T14:38:31.286Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:38:31.286Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected account names and their types from the device.(Citation: Lookout_DCHSpy_July2025)", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5", "created": "2020-11-24T17:55:12.897Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:50.173Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the user\u2019s browser cookies.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898", "created": "2019-09-04T14:28:16.414Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:53.910Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve call history.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d64c4924-76f0-4b2e-858d-b0df733334d0", "created": "2023-02-06T19:03:11.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:54.100Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can modify system settings to give itself device administrator privileges.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71", "created": "2022-03-30T20:53:54.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:54.322Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d6be8665-afbb-4be5-a56a-493af01b120a", "created": "2022-03-30T15:52:29.935Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:54.724Z", "description": "Mobile security products can potentially detect jailbroken or rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4", "created": "2021-02-17T20:43:52.413Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:51.093Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has compressed and encrypted data before exfiltration using password protected .7z archives.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55", "created": "2020-04-24T17:46:31.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:51.305Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can steal pictures from the device.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383", "created": "2022-04-05T20:17:46.149Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:55.370Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0", "created": "2020-12-24T21:55:56.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:51.798Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d716163d-2492-4088-9235-b2310312ba27", "created": "2022-04-06T15:44:48.422Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:55.980Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d71fab20-a56c-4404-a65d-aaa37056f16e", "created": "2022-04-01T15:16:16.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro iOS URL Hijacking", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", "url": "https://web.archive.org/web/20211023221110/https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-08T16:44:09.588Z", "description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d724bcf3-25d2-406a-b612-333fea5e2385", "created": "2020-10-29T17:48:27.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:56.381Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can show phishing popups when a targeted application is running.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2", "created": "2022-04-08T16:29:55.322Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:56.575Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6", "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d7aa436a-e66d-4217-be66-4414703dec07", "created": "2020-11-10T17:08:35.634Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:52.410Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:56.975Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to modify the device's system partition.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d7b7d0f4-2312-4207-824d-332904b81759", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c1b65a72-9f74-4849-9797-1a9c655d9a04", "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d7bd4131-a95e-4f6a-a9ce-113079f1dbec", "created": "2025-08-29T21:56:01.595Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T21:56:01.595Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has obfuscated its Android manifest file with irrelevant permissions and manifest strings.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d7ca70d4-2006-4252-b243-e52be760e24d", "created": "2022-04-01T13:26:39.773Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:57.175Z", "description": "Access to SMS messages is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their SMS messages. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d7d6f1dd-9ed2-48a5-8c81-6dc09181d3fd", "created": "2025-08-29T22:03:31.202Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "MerkleScience_Godfather_April2023", "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.", "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-08-29T22:03:31.202Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `SEND_SMS` permission to send SMS messages.(Citation: MerkleScience_Godfather_April2023)", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1", "created": "2019-09-04T15:38:56.809Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:57.367Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can delete data from a compromised device.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d8001cd5-3e71-44af-ae85-26f5f56e5cb8", "created": "2025-03-24T14:51:50.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:57.566Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has collected device network information, such as the IMEI and the phone number.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37", "created": "2020-05-07T15:24:49.583Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:53.014Z", "description": "Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ArsTechnica-HummingBad", "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:53.186Z", "description": "[HummingBad](https://attack.mitre.org/software/S0322) can exploit unfixed vulnerabilities in older Android versions to root victim phones.(Citation: ArsTechnica-HummingBad)", "relationship_type": "uses", "source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d886f368-a38b-4cb3-906f-9b284f58b369", "created": "2019-12-10T16:07:41.066Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:53.593Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) decrypts executables from archive files stored in the `assets` directory of the installation binary.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab", "created": "2020-09-11T16:22:03.229Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:53.858Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect and record audio content.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:54.115Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d8da0428-122e-4054-baee-ff85847d28fb", "created": "2025-10-08T14:35:07.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T16:56:25.834Z", "description": "(Citation: Lookout_DCHSpy_July2025) ", "relationship_type": "uses", "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "target_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7", "created": "2020-12-14T15:02:35.230Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:54.292Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has encrypted C2 communications using Base64-encoded RC4.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9", "created": "2024-01-26T17:37:34.983Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:59.158Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) can hide its application icon.(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d995dfff-e4b2-4e07-8e76-b064354f591a", "created": "2022-04-01T12:49:32.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:59.378Z", "description": "Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b", "created": "2020-11-24T18:18:33.772Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:59.567Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can request device administrator permissions.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--d9c63320-5855-42dc-8cd5-595755495259", "created": "2025-03-12T22:10:57.369Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:51:59.785Z", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has used the hooking framework in a variety of ways, including returning false information to detection mechanisms, pretending that GooglePlayServices are unavailable, and manipulating UI functionality.(Citation: Promon FjordPhantom Oct2024) ", "relationship_type": "uses", "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--da424f3f-8a93-4a66-858c-b33f587108e6", "created": "2020-10-29T17:48:27.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:54.970Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device\u2019s country and carrier name.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--da4296d7-5fdb-45b6-9791-b023d634c08d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:55.159Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record location.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852", "created": "2023-09-28T17:22:13.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:00.579Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can collect sensitive information, such as Google Authenticator codes.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dae66212-1bc9-485b-8a12-64fb6ca15aa5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--113d83d6-e0a2-44af-955d-288bd4ef21c4", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--db1201f0-f925-4c3c-8673-7524a8c20886", "created": "2021-02-17T20:43:52.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:55.556Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has recorded calls.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a", "created": "2020-01-27T17:05:58.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:00.969Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s call log.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:55.883Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce", "created": "2023-12-18T19:08:25.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:01.562Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can send SMS messages.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dbef53a9-f9c4-4582-8e93-349ad488de12", "created": "2023-02-28T21:42:06.525Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:01.800Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view call logs.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97", "created": "2023-02-06T19:06:37.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:02.004Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can receive files from the C2 at runtime.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dc2c709d-89cf-46b9-98d3-385e33c23e34", "created": "2026-02-06T21:24:48.107Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_June2025", "description": "ThreatFabric. (2025, June 3). Crocodilus Mobile Malware: Evolving Fast, Going Global. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:24:48.107Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) dropper and payload have been packed to hinder detection.(Citation: ThreatFabric_Crocodilus_June2025)", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--dc354395-cccf-471a-9335-8538ce20f1ec", "created": "2023-07-21T19:33:28.471Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:02.237Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate SMS logs.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357", "created": "2019-07-10T15:25:57.572Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:02.447Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) captures and exfiltrates SMS messages.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dc70704a-54b3-4000-8c55-4919044de5c0", "created": "2024-03-26T19:03:10.647Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:02.636Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can exfiltrate the victim device\u2019s contact list.(Citation: fb_arid_viper) ", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962", "created": "2019-09-23T13:36:08.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:03.022Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, [Rotexy](https://attack.mitre.org/software/S0411) periodically switches off the phone screen to inhibit permission removal.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23", "created": "2023-07-21T19:37:42.022Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:03.239Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can retrieve the list of installed applications.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8", "created": "2023-01-18T19:58:00.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:03.431Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use RC4 to encrypt C2 payloads.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b", "created": "2020-07-15T20:20:59.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:03.629Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) has used domain generation algorithms.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ddca1254-b404-4850-9566-0be35c6d7564", "created": "2020-11-10T17:08:35.771Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:03.843Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device\u2019s SMS and MMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ddfa9b6c-a2b9-46e0-9a44-fa19a9aa0101", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0ec6ab45-a114-4ded-ba5e-a16982ccd64b", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e", "created": "2022-03-30T19:29:07.379Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:04.037Z", "description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--de45db46-2251-4a29-b4d7-3fcf679e9484", "created": "2019-09-04T15:38:56.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" }, { "source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:04.281Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can intercept SMS and MMS messages as well as monitor messages for keywords.(Citation: CyberMerchants-FlexiSpy)(Citation: FlexiSpy-Features)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--de4ecfa3-fa91-4377-810c-5c567de9688b", "created": "2021-01-05T20:16:20.490Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:04.482Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can delete attacker-specified files.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6", "created": "2022-04-05T19:54:12.660Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:04.703Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--de7e3a71-1152-481c-8e5c-88f53852cab6", "created": "2022-04-01T15:16:53.239Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:04.911Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--de8f4252-d725-430c-bcd9-29225c131e6e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0cb492cd-7d01-46b2-b1f4-afddec10eaf2", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5", "created": "2025-03-24T17:49:37.281Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "FirshSecureList LightSpy 2020", "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.", "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:05.119Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has the ability to take one picture, continuous pictures or event-related pictures using the device\u2019s camera.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) For iOS devices, the default file type for pictures is in High Efficiency Image Format (HEIC); for Android devices, the default file type for pictures is in JPEG format. ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--df036f55-f749-4dad-9473-d69535e0f98d", "created": "2020-06-26T14:55:13.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:05.587Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android\u2019s accessibility service to record the screen PIN.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--df07166f-917e-4bc4-899e-d689d1d3f785", "created": "2023-10-10T15:33:58.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:05.831Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can impersonate any popular application on an infected device, and the core malware disguises itself as a legitimate Google application. [Agent Smith](https://attack.mitre.org/software/S0440)'s dropper is a weaponized legitimate Feng Shui Bundle.(Citation: CheckPoint Agent Smith) ", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--df337ad4-c88e-425f-b869-ecac29674bf4", "created": "2021-03-25T16:39:40.200Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:58.738Z", "description": "(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a", "created": "2023-12-18T18:14:41.248Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:06.270Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has utilized commercial software packers.(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:59.003Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) has the capability to exploit several known vulnerabilities and escalate privileges.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b", "created": "2023-12-05T22:17:58.874Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:06.681Z", "description": "Mobile security products can potentially detect if a device is vulnerable to a known exploit and can alert the user to update their device. ", "relationship_type": "mitigates", "source_ref": "course-of-action--78671282-26aa-486c-a7a5-5921e1616b58", "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5", "created": "2020-04-08T15:41:19.445Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Anubis", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html" }, { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:06.882Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the C2 address from Twitter and Telegram.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea", "created": "2023-02-06T19:45:58.793Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:07.077Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use the open-source project RetroFit for C2 communication.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e03b0eb5-32c6-4867-9235-77fe32192983", "created": "2019-09-04T15:38:56.916Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:59.599Z", "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can track the device's location.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e03b25b0-0779-48da-b5d7-28f1f6106363", "created": "2020-12-24T22:04:27.992Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:30:59.797Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has taken screenshots.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8", "created": "2020-09-24T15:34:51.433Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:00.034Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can record audio and outgoing calls.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e", "created": "2023-03-03T16:25:52.931Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:08.073Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about installed applications.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:08.270Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can read SMS messages.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e0f58ab7-b246-4c41-9afc-89b582590809", "created": "2020-12-18T20:14:47.374Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:00.593Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can download additional modules at runtime via JavaScript `eval` statements.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e135cefa-f019-479d-86eb-438972df73e0", "created": "2019-09-04T15:38:56.702Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:08.681Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) installs boot hooks into `/system/su.d`.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e1a94e63-733b-4d2b-8731-4abc11a1be9d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--f15826e8-4aa6-497e-bf9f-16c3724bfe72", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e1fc106e-1671-4103-b767-47b52c9b0742", "created": "2024-03-28T18:29:52.969Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:09.077Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to access the device\u2019s location.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e2128a08-dc84-4a1e-a090-172b4591ea6f", "created": "2025-10-08T14:37:17.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:37:17.378Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has accessed the device\u2019s call log.(Citation: Lookout_DCHSpy_July2025)", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb", "created": "2023-10-10T15:33:58.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:09.281Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has masqueraded as an Android security application.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e245e45a-71a8-408d-8f32-7b7337bffc26", "created": "2023-01-18T19:19:58.007Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:09.474Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can hide its application icon.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056", "created": "2020-12-24T22:04:27.919Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:01.430Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has extracted messages from chat programs, such as WeChat.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e29d91f0-ebee-481d-9344-702c90775109", "created": "2020-05-07T15:33:32.928Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:01.659Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can inject fraudulent ad modules into existing applications on a device.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e2aa5d54-6a01-48bb-9408-9f9ae00b702c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--19522fac-bfd0-4e94-9d75-a61eacbef7c3", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e2ee6825-43c2-441f-ba96-404a330a9059", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:10.104Z", "description": "[Charger](https://attack.mitre.org/software/S0323) steals contacts from the victim user's device.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e", "created": "2024-01-26T17:34:10.524Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:10.328Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) can automatically send replies to a user\u2019s incoming WhatsApp messages.(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb", "created": "2020-11-10T17:08:35.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:10.527Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used specially crafted SMS messages to control the target device.(Citation: Lookout Uyghur Campaign) ", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e3340c35-81b3-497b-93e6-b59648ad2ccf", "created": "2026-02-16T16:03:51.821Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:03:51.821Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to send registered account information.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e3394db9-1cb6-4b7b-9b7e-0e6d15245737", "created": "2025-10-08T14:40:19.684Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:40:19.684Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected files of interest on the device, including WhatsApp files.(Citation: Lookout_DCHSpy_July2025) ", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e33c48aa-e5b2-46b0-a82d-31f5c1faeb53", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--99db5782-6282-4626-901d-b57f8bb8a1f1", "target_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8", "created": "2023-03-01T22:18:19.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:10.724Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can send contact lists to its C2 server.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e35b013b-89e8-41b3-a518-7737234ab71b", "created": "2020-01-27T17:05:58.312Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:02.271Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can take screenshots.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e39ee008-74d1-4669-b515-4d2bb97968c1", "created": "2024-02-20T23:49:23.124Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:11.125Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e3a961ec-8184-4143-b8c2-c33ea0503678", "created": "2020-09-24T15:34:51.315Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:02.604Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can take photos and record videos.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e3beb58a-2603-451e-a907-1a3823a90197", "created": "2025-03-27T22:47:12.701Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:11.537Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has deleted crash logs which may have been created during the initial exploitation phase stored in `/private/var/mobile/Library/Logs/CrashReporter`.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e3d04885-95a5-47cb-a038-b58542cf787d", "created": "2019-09-03T19:45:48.487Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:11.734Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate the call log.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e4019493-bd52-4011-9355-8902be6ff3f3", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:11.954Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) registers the broadcast receiver to listen for events related to device boot-up.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e419e0c3-8c16-4e7b-99f5-ecd30c93493a", "created": "2024-02-20T22:05:26.922Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:12.152Z", "description": "[Conceal Multimedia Files](https://attack.mitre.org/techniques/T1628/003) likely should not be mitigated with preventative controls because the `.nomedia` file may be used legitimately. ", "relationship_type": "mitigates", "source_ref": "course-of-action--76a32151-5233-465f-a607-7e576c62c932", "target_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e42c671c-6a8e-4ed5-a4cb-68e57613244f", "created": "2026-02-16T15:48:49.812Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T15:48:49.812Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has sent a POST request to downcat.php while recording the access time and APK URL path.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e43098c9-bbdf-4330-baf2-1d04f93255ba", "created": "2026-02-06T21:29:50.548Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:29:50.548Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to collect a list of installed applications.(Citation: ThreatFabric_Crocodilus_March2025)", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e4451543-136b-4fe2-a8e2-d005db705aa2", "created": "2025-04-14T18:09:08.678Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:12.378Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) collects device information, including the phone number, IMEI, CPU details, screen specifications, and memory information.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e457921c-4a0b-4d6e-92e7-553929ddf943", "created": "2023-02-06T18:51:14.919Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:12.586Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can download and install additional malware after initial infection.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717", "created": "2024-02-21T20:54:12.536Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:12.779Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e4973ce8-5f52-45ac-844d-f73c97a0e040", "created": "2026-02-16T15:57:38.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "EnkiWhiteHat_KimsukyDOCSWAP_Dec2025", "description": "EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.", "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" }, { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T15:57:38.727Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `WRITE_EXTERNAL_STORAGE` permission.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e49f5d6a-4b8f-4649-9eb2-489524184feb", "created": "2026-02-16T16:08:58.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-12T19:25:48.556Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has used a hardcoded IP address and port for C2 and exfiltration over socket communication.(Citation: S2W_DocSwap_Mar2025) ", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532", "created": "2023-02-06T19:46:43.041Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:12.975Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has included adversary-in-the-middle capabilities.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e50c605a-0cdf-4316-bb49-2deccc69143f", "created": "2024-03-26T16:19:01.439Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:13.377Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) can make phone calls.(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6", "created": "2020-09-14T13:35:45.911Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:13.572Z", "description": "[Twitoor](https://attack.mitre.org/software/S0302) can be controlled via Twitter.(Citation: ESET-Twitoor)", "relationship_type": "uses", "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e515259a-63b1-4ac8-bbec-4b0103d0a79a", "created": "2025-04-14T16:50:39.750Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:13.769Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) uses the embedded `time_waste` function to bypass standard iOS API restrictions and enable unauthorized audio/video recording. This exploit injects a `.dylib` into the `SpringBoard` process, allowing persistent access to audio and video capture.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e524f30e-11b5-4bd9-83f1-9694e6d8f030", "created": "2024-03-26T19:34:37.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" }, { "source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/" }, { "source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:13.968Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can read and exfiltrate SMS messages.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e56b94c0-eb5a-4597-b961-523971d84a73", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0a60e161-3347-49e6-9687-123e8a06c620", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e5922453-d9b1-472b-b947-b1eaa426a32e", "created": "2024-02-20T23:46:46.698Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:14.159Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb", "created": "2020-12-24T22:04:28.024Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:14.397Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected call logs.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e5e4567e-05a3-4d79-beab-191efc336473", "created": "2020-01-27T17:05:58.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:04.387Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e682fd05-a55e-447c-9de1-788cf061ba70", "created": "2025-03-24T20:08:36.103Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:14.802Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has sent and deleted SMS messages.(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39", "created": "2020-12-14T15:02:35.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:15.255Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect SMS messages as they are received.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208", "created": "2020-07-20T13:27:33.546Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:04.904Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can receive system notifications.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e7af5be1-721f-40c5-b647-659243a0a14b", "created": "2020-04-08T15:41:19.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:15.666Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can record phone calls and audio.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac", "created": "2020-06-26T15:32:25.060Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:15.864Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can uninstall itself from a device on command.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e7b7e813-4867-46fe-bf86-6f367553d765", "created": "2019-11-21T16:42:48.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" }, { "source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:05.749Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e7d6a883-2f2b-41e7-954e-7888a65a6f42", "created": "2025-06-25T15:36:36.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-25T15:36:36.311Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has displayed masqueraded wallet applications if the EnabledUIMode field is set to `true`. [CherryBlos](https://attack.mitre.org/software/S1225) has also displayed a fake user interface while victims make withdrawals in the legitimate Binance application if the EnableExchange field is set to `true`. The withdrawal transaction is ultimately transferred to the threat actor\u2019s controlled address.(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:16.270Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses contact list information.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e8768455-4d0c-4e3c-a901-1fc871227745", "created": "2022-03-30T17:54:56.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:16.476Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:16.688Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted call logs.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e889782a-f66b-448e-a466-e55b1bce7b64", "created": "2023-02-28T20:38:25.598Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:16.873Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) has encrypted C2 message bodies with RSA and encoded them in base64.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f", "created": "2024-02-20T23:46:03.419Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:17.073Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card information, and Wi-Fi information.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d", "created": "2020-12-17T20:15:22.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:17.283Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device\u2019s contact list.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e92e167d-d8b7-4429-bf60-d923f0a7f714", "created": "2026-03-09T15:33:30.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:33:30.604Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has requested for `android.permission.CALL_PHONE`.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b", "created": "2023-09-28T17:21:15.893Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:17.682Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can collect application keylogs.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7", "created": "2019-08-07T15:57:13.388Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:06.828Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e964979d-7664-4897-8fcc-4f67ed494a37", "created": "2026-02-16T16:10:01.860Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "S2W_DocSwap_Mar2025", "description": "Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.", "url": "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-16T16:10:01.860Z", "description": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to send installed application information, including application name, package name, installation timestamp, icon, and properties.(Citation: S2W_DocSwap_Mar2025)", "relationship_type": "uses", "source_ref": "malware--3dbef387-12df-4547-9dd3-075c7ffec9e3", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb", "created": "2020-12-17T20:15:22.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:07.035Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can load additional Dalvik code while running.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e9b262ba-1c32-40b3-8622-121b30d6df50", "created": "2019-10-10T15:14:57.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:18.275Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e", "created": "2020-12-24T21:55:56.745Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:07.331Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the list of installed apps.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:18.719Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) exfiltrates details of the victim device operating system and manufacturer.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7", "created": "2020-11-24T17:55:12.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:07.765Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can request the device\u2019s location.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ea8cfefa-f4b5-464a-b4b8-9e3aa587316c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7a96a921-48bc-4fcf-b6b8-86a96315d4ee", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--eb052029-e1c9-4f24-8594-299aaec7f1df", "created": "2020-12-14T14:52:03.351Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:19.328Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device\u2019s call log.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93", "created": "2020-09-11T15:50:18.937Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:08.028Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can send SMS messages.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:19.725Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) requests Android Device Administrator access.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5", "created": "2022-04-06T15:47:06.163Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:19.918Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041", "created": "2017-10-25T14:48:53.742Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:08.558Z", "description": "Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eb784dcf-4188-47e2-9217-837b262acfb9", "created": "2022-04-01T18:43:01.860Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:20.523Z", "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3", "created": "2023-02-06T19:01:39.599Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:20.729Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself contact list access.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ebebb43d-aeec-4436-9d6f-c11fc8de82f3", "created": "2026-02-06T21:31:33.092Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:31:33.092Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to prevent application removal.(Citation: ThreatFabric_Crocodilus_March2025)", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--ec30f169-9cf3-45c3-9a02-cda318107ba9", "created": "2025-03-24T20:12:48.858Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:20.920Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed a list of installed applications.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ec6ec329-a758-4259-a5f8-789cfef78a53", "created": "2025-03-28T14:35:59.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:21.112Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has collected and sent information on the device\u2019s IMEI, MEID, serial number and other device information.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ec734b52-a823-495c-9684-c4649269723e", "created": "2023-09-28T17:22:03.028Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:21.341Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can uninstall itself and other applications.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4", "created": "2025-03-14T17:57:47.876Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:21.545Z", "description": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious applications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42", "created": "2021-10-01T14:42:48.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:09.556Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can use its keylogger module to take screenshots of the area of the screen that the user tapped.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d", "created": "2019-08-09T18:06:11.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:09.761Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) can take pictures with both the front and rear-facing cameras.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ece70dca-803c-4209-8792-7e56e9901288", "created": "2020-07-15T20:20:59.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:22.374Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can delete all data from an infected device.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a", "created": "2020-07-15T20:20:59.186Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:10.059Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ed3293cf-de4f-4a73-98af-24325e8187c9", "created": "2020-04-24T17:46:31.598Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:22.777Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can detect if it is running on a rooted device or an emulator.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ed48a86f-e55f-4abf-8f18-98591b756399", "created": "2023-03-03T16:19:30.443Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:22.973Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has hidden the app icon from iOS springboard.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d", "created": "2024-04-02T19:24:58.885Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:23.164Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) has included exploits for jailbreaking infected devices.(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6", "created": "2023-02-28T20:31:55.191Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:23.780Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can access app notifications.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ede5c314-5988-4151-bb30-b6a6983d02c0", "created": "2020-12-31T18:25:05.164Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:23.974Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--edf7417d-d559-4423-b169-b2b2b33fcb76", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--34fc0ca7-338c-4eb4-b4ac-618f56378dd5", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--edf758e1-600e-4b7e-94eb-6c76b9a5ca6a", "created": "2025-10-08T14:36:15.827Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout_DCHSpy_July2025", "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.", "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T14:36:15.827Z", "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has masqueraded as legitimate applications, such as VPN and banking applications.(Citation: Lookout_DCHSpy_July2025) ", "relationship_type": "uses", "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb", "created": "2019-09-04T15:38:56.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:24.172Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect device contacts.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ee095f20-eef5-4dcc-a537-70b387592c2c", "created": "2023-02-28T20:38:46.702Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "bitdefender_flubot_0524", "description": "Filip TRU\u021a\u0102, R\u0103zvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:24.379Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use Accessibility Services to make removal of the malicious app difficult.(Citation: bitdefender_flubot_0524)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9", "created": "2020-09-15T15:18:12.419Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:24.580Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device\u2019s contact list.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f", "created": "2019-09-23T13:36:08.448Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:11.317Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eee008fa-a46f-4542-93e3-8fe5f949130f", "created": "2023-01-19T18:06:57.242Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:24.983Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can check to see if Wi-Fi is enabled.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671", "created": "2021-02-08T16:36:20.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:25.183Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f", "created": "2019-07-16T14:33:12.107Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Triada June 2016", "description": "Kivva, A. (2016, June 6). Everyone sees not what they want to see. Retrieved July 16, 2019.", "url": "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/" }, { "source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:25.404Z", "description": "[Triada](https://attack.mitre.org/software/S0424) can redirect ad banner URLs on websites visited by the user to specific ad URLs.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada June 2016) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ef792cb5-cb1f-4871-a2ef-20e6150d4005", "created": "2023-10-10T15:33:57.735Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:25.602Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has been embedded into trojanized versions of applications such as Voxer, TalkBox, and Amaq News.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--efd35b6f-7a61-4998-97ff-608547e40f66", "created": "2019-10-01T14:23:44.054Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:25.810Z", "description": " [Rotexy](https://attack.mitre.org/software/S0411) encrypts JSON HTTP payloads with AES.(Citation: securelist rotexy 2018) ", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f012feab-5612-429f-81bd-ff75d6ffd04e", "created": "2022-04-05T17:03:34.941Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:26.007Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f051c943-998c-4db2-9dbc-d4755057bcf0", "created": "2022-04-05T19:49:06.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:26.231Z", "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f0851531-e554-4658-920c-f2342632c19a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Adware", "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:12.305Z", "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is packed with at least eight publicly available exploits that can perform rooting.(Citation: Lookout-Adware)", "relationship_type": "uses", "source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1", "created": "2020-07-15T20:20:59.284Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:12.592Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can install attacker-specified components or applications.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f0e39856-4d2d-45c5-bf16-f683ee993010", "created": "2022-03-30T18:18:15.915Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:27.026Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc", "created": "2020-09-14T14:13:45.286Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:27.237Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) has exfiltrated data using HTTP PUT requests.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f1208f2a-f2e2-48bd-8fdc-d56b9442f185", "created": "2025-03-24T20:08:17.941Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:27.430Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed SMS messages.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f157970b-4782-46d0-abdd-000ae6eea14b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:27.624Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b", "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f1c06c38-0f58-4789-9758-1e321394e03f", "created": "2025-03-24T17:49:09.480Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india" }, { "source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:27.810Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185)'s main executable and modules use native libraries to execute targeted functionality.(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f2274210-22bd-4ca4-887d-691e1370c85b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--9c2fc530-8c91-458d-bb4e-6ec921ee2b85", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150", "created": "2020-05-11T16:37:36.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:13.402Z", "description": " [Ginp](https://attack.mitre.org/software/S0423) can download device logs.(Citation: ThreatFabric Ginp) ", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665", "created": "2023-07-21T19:39:51.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:28.237Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate data when the user boots the app, or on device boot.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f2661ec3-9c63-4ad8-91a9-8bd0e50a0cc3", "created": "2026-02-06T21:31:09.183Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_March2025", "description": "ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:31:09.183Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to enable or disable keylogging.(Citation: ThreatFabric_Crocodilus_March2025)", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee", "created": "2020-11-24T17:55:12.895Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:28.453Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can show a phishing WebView pretending to be a Google service that collects credit card information.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1", "created": "2020-06-26T15:32:25.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:28.639Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can record keystrokes.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f2e75022-ff16-44a8-8fcc-18c785406fb5", "created": "2025-03-27T22:49:20.862Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:28.828Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has exfiltrated collected data to the C2 server.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6", "created": "2020-01-21T14:20:50.409Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:29.038Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f33632d6-e0e7-4236-89da-0e41266c9a98", "created": "2026-03-09T15:39:20.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-12T17:49:02.950Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has exfiltrated captured data to C2 via POST requests.(Citation: ESET_VajraSpy_Feb2024) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132", "created": "2022-03-30T14:06:26.530Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:29.254Z", "description": "Mobile security products can typically detect jailbroken or rooted devices. ", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f372697e-b661-4995-9920-4ec0a9060ebb", "created": "2024-03-28T18:01:08.468Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos Promethium June 2020", "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" }, { "source_name": "Bitdefender StrongPity June 2020", "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:29.456Z", "description": "(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", "relationship_type": "attributed-to", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f3c5d1a4-406d-47cc-8152-77bfbe5edaaf", "created": "2025-09-18T14:37:50.850Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:37:50.850Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has captured audio from the device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a", "created": "2024-01-26T17:35:37.668Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:29.857Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) requests access to the `NotificationListenerService`, which can allow it to manipulate a device's notifications.(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f42a3f60-103f-4b7a-b682-a03f76f3f028", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--03c7f8c1-0239-44a2-89e2-4cd6b47940ac", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f44f18d4-4595-4277-9d1e-dd5be6d07a80", "created": "2025-06-25T15:35:33.315Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-25T15:35:33.315Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has received configuration files from the C2 server.(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607", "created": "2024-02-21T21:05:56.876Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:30.276Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f490d3fc-7ef0-4f6c-aebd-82dbb30ecf7b", "created": "2026-03-09T15:36:31.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:36:31.337Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has logged keystrokes of an infected device.(Citation: ESET_VajraSpy_Feb2024) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f4aeacef-035c-4308-9e85-997703e27809", "created": "2020-01-27T17:05:58.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:30.473Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can delete arbitrary files on the device.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f4b0d3ea-ae51-4e3b-a642-8a853f583436", "created": "2025-06-25T15:35:54.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro_CherryBlos_July2023", "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.", "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-06-25T15:35:54.673Z", "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has communicated with the C2 server using HTTPS.(Citation: TrendMicro_CherryBlos_July2023) ", "relationship_type": "uses", "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012", "created": "2020-12-14T14:52:03.218Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:14.749Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can obtain the running application.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1", "created": "2019-07-10T15:35:43.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:30.888Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) captures and exfiltrates all SMS messages, including future messages as they are received.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:31.090Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests SMS and MMS messages from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45", "created": "2019-09-15T15:32:17.580Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android Notification Listeners", "description": "Android. (n.d.). DevicePolicyManager. Retrieved September 15, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPermittedCrossProfileNotificationListeners(android.content.ComponentName,%20java.util.List%3Cjava.lang.String%3E)" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:31.312Z", "description": "On Android devices with a work profile, the `DevicePolicyManager.setPermittedCrossProfileNotificationListeners` method can be used to manage the list of applications running within the personal profile that can access notifications generated within the work profile. This policy would not affect notifications generated by the rest of the device. The `DevicePolicyManager.setApplicationHidden` method can be used to disable notification access for unwanted applications, but this method would also block that entire application from running.(Citation: Android Notification Listeners) ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19", "created": "2020-09-24T15:26:15.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:31.510Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has exfiltrated data using HTTP requests.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f5184fc6-8283-4547-afa9-2f1c0c703d5d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--4041b489-71a4-4995-9419-04bd75628f89", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f5196775-2c99-4dc5-b173-6a10af503c6e", "created": "2023-09-25T19:55:13.827Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:31.725Z", "description": "Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f524f2d9-cdf7-403b-af0f-96c1c60b32a8", "created": "2025-03-24T14:52:59.139Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:31.922Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the Tencent packer to hide its malicious payload.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f54196e6-3efd-4562-ae86-37bb79ec49f6", "created": "2025-09-18T14:38:14.426Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-18T14:38:14.426Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected device information such as MAC address, IMEI and phone number.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:15.715Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads information about installed packages.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4", "created": "2022-09-29T21:22:06.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:32.332Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors to continually forward all SMS messages and call information back to their C2 servers.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4", "created": "2023-09-28T17:20:50.748Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:32.721Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can record audio from the device\u2019s microphone.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f5b153b3-9392-4c5a-aa96-ae7efb9f7ad9", "created": "2026-03-09T15:28:15.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T15:28:15.201Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has obtained and exfiltrated a list of installed applications.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f5d24a31-53d2-4e84-9110-2da0582132cb", "created": "2020-05-07T15:33:32.936Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:32.925Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440)\u2019s core malware is disguised as a JPG file, and encrypted with an XOR cipher.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:16.472Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses the list of installed applications.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f6098dca-3a9e-4991-8d51-1310b12161b6", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:33.564Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) uses SMS for command and control.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e", "created": "2022-03-30T20:43:31.249Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:33.782Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f62351c6-0dff-45b1-a711-1b40b96639a2", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--78eb87ae-c606-41cc-b133-b02eb35fb54d", "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f62e0aaf-e52f-40b9-a059-001f298a0660", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:33.975Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794", "created": "2019-11-21T16:42:48.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" }, { "source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:16.958Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can record audio from the device\u2019s microphone and can record phone calls together with the caller ID.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f6417788-0c6e-4172-9010-f20870ec2278", "created": "2023-06-09T19:16:07.193Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:34.383Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can request device administrator privileges.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f65087b4-adf2-4292-a711-7ae829e91397", "created": "2019-09-04T14:28:16.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:17.281Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can list applications installed on the device.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:17.455Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record phone calls and surrounding audio.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663", "created": "2023-08-16T16:39:10.564Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" }, { "source_name": "ThreatFabric_Chameleon_Dec2023", "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.", "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-08T20:17:51.728Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to disable Google Play Protect.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f6a451e8-2125-4bbe-be52-e682523cd169", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:17.751Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests the device phone number, IMEI, and IMSI.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f6c57544-4bf5-47b1-924f-1a9bd17f5e31", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7b0e17a4-df7c-4f4b-8b15-e8aac2236fc6", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa", "created": "2020-11-10T17:08:35.761Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:35.366Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has deleted call log entries coming from known C2 sources.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1", "created": "2020-07-20T13:49:03.693Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:18.084Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device\u2019s IMSI and ICCID.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc", "created": "2022-04-01T13:18:40.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:35.778Z", "description": "Contact list access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their contact list. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22", "created": "2023-07-21T19:39:20.054Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:35.978Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) uses a background service that can restart itself when the parent activity is stopped.(Citation: lookout_bouldspy_0423) ", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f776a4da-0fa6-414c-a705-e9e8b419e056", "created": "2020-06-26T15:32:25.058Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" }, { "source_name": "CheckPoint Cerberus", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:18.473Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can inject input to grant itself additional permissions without user interaction and to prevent application removal.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f781fd2c-209f-43f1-b55a-fb175187415f", "created": "2024-03-28T18:28:48.230Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:36.378Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect the device\u2019s contact list.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f78e0c04-1946-4a0f-9ecb-324373f97e8a", "created": "2025-03-24T20:14:35.755Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:36.575Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has masqueraded a Mach-O executable as a png file.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a", "created": "2021-01-07T17:02:31.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:36.778Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can access the device's contact list.(Citation: Zscaler TikTok Spyware) ", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:19.132Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f7c95641-a685-4d0b-8516-9f0c7498efc9", "created": "2025-02-12T15:21:45.954Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Krebs LAPUSS Mar2022", "description": "Krebs, B. (2022, March 23). A Closer Look at the LAPSUS$ Data Extortion Group. Retrieved January 27, 2025.", "url": "https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/" }, { "source_name": "Microsoft DEV-0537 Mar2022", "description": "Microsoft Incident Response, Microsoft Threat Intelligence . (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved January 27, 2025.", "url": "https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:37.182Z", "description": "[LAPSUS$](https://attack.mitre.org/groups/G1004) has used SIM swapping to gain access to victims\u2019 mobile devices.(Citation: Krebs LAPUSS Mar2022)(Citation: Microsoft DEV-0537 Mar2022) ", "relationship_type": "uses", "source_ref": "intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7", "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f8151852-5a56-4c91-a691-1e50387a291d", "created": "2023-09-28T17:39:14.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:37.376Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect IP address and network configuration information.(Citation: Trend Micro FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f8312ce3-3533-46e7-bf93-90541f9b5c69", "created": "2025-08-29T22:04:44.695Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025", "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.", "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-08T14:31:06.242Z", "description": "[GodFather](https://attack.mitre.org/software/S1231) has the captured information about the device's screen to include detailed tap events.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)", "relationship_type": "uses", "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f84355c2-b829-4324-821a-b5148734bb6b", "created": "2022-04-01T15:21:35.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:37.592Z", "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to microphone or audio output. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c", "created": "2020-12-18T20:14:47.371Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:19.760Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can send SMS messages.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57", "created": "2020-04-08T15:51:25.120Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:19.980Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) obfuscates its payload, code, and strings.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f92fe9dd-7296-42f6-904e-e245c438376e", "created": "2020-12-14T15:02:35.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:38.397Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can request device administrator permissions.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f9456868-aa4c-4aa3-9465-c5a18cbcfd23", "created": "2024-02-21T20:51:32.634Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:38.590Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if Wi-Fi is enabled.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ArsTechnica-HummingBad", "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:38.824Z", "description": "[HummingBad](https://attack.mitre.org/software/S0322) can create fraudulent statistics inside the official Google Play Store, and has generated revenue from installing fraudulent apps and displaying malicious advertisements.(Citation: ArsTechnica-HummingBad)", "relationship_type": "uses", "source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f", "created": "2019-10-18T14:50:57.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:39.023Z", "description": "Security updates often contain patches for vulnerabilities.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f989562f-41a8-46d3-94ba-fca7269ae592", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:20.642Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b", "created": "2024-02-21T21:09:05.676Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:39.433Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can check to see if Wi-Fi is enabled.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae", "created": "2019-09-04T20:01:42.753Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Nightwatch screencap April 2016", "description": "Nightwatch Cybersecurity. (2016, April 13). Research: Securing Android Applications from Screen Capture (FLAG_SECURE). Retrieved November 5, 2019.", "url": "https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:39.628Z", "description": "Application developers can apply the `FLAG_SECURE` property to sensitive screens within their apps to make it more difficult for the screen contents to be captured.(Citation: Nightwatch screencap April 2016) ", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0", "created": "2020-12-24T21:55:56.686Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:21.175Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed common system information.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb", "created": "2020-09-15T15:18:12.466Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:40.037Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) exfiltrates data using HTTP requests.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:21.449Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) tracks the device location.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d", "created": "2021-01-05T20:16:20.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:21.633Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture photos and videos from the device\u2019s camera.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fa5f3aea-2131-4690-8833-dc428fae2b22", "created": "2023-01-18T21:38:34.350Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:40.713Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fad1e048-86e1-48c7-a183-0e13e429bc23", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--538bc808-b0f5-4f86-81f2-63be2cf63e80", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--fada5ba5-7449-4878-b555-82f225473c8b", "created": "2022-03-30T19:28:42.179Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:40.906Z", "description": "Attestation can detect unauthorized modifications to devices. Mobile security software can then use this information and take appropriate mitigation action. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9", "created": "2023-07-21T19:34:53.934Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:41.096Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can get a device\u2019s location using GPS or network.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5", "created": "2023-06-09T19:16:53.458Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:41.323Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can access a device\u2019s camera and take photos.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--faff4998-cc35-44fa-acf9-8fa480c1a0bc", "created": "2026-03-09T15:30:33.885Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "K7Dhanalakshmi_VajraSpy_April2022", "description": "Dhanalakshmi. (2022, April 19). VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.", "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/" }, { "source_name": "ESET_VajraSpy_Feb2024", "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.", "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-09T20:34:36.067Z", "description": "[VajraSpy](https://attack.mitre.org/software/S9006) has collected files with specific extensions, such as .txt, .jpg, .Om4a, .aac and .opus, before exfiltration.(Citation: ESET_VajraSpy_Feb2024) [VajraSpy](https://attack.mitre.org/software/S9006) has also requested for `android.permission.WRITE_EXTERNAL_STORAGE` and `android.permission.READ_EXTERNAL_STORAGE`.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "relationship_type": "uses", "source_ref": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6", "created": "2020-09-11T16:22:03.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:41.524Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect SMS messages.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68", "created": "2020-12-24T21:45:56.979Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:22.464Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can retrieve files from external storage and can collect browser data.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fb3b32a8-6422-4d44-91e3-27a58e569963", "created": "2019-09-03T19:45:48.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:41.928Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take screenshots of any application in the foreground.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674", "created": "2020-12-24T22:04:28.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:22.747Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fb587f81-1300-438d-a33b-f8d08530788b", "created": "2019-07-10T15:35:43.704Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:42.373Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) exfiltrates data using HTTP.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:23.193Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fb62afa9-d593-44f8-840d-bd5c595a1228", "created": "2022-04-01T18:44:46.780Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:42.822Z", "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:43.028Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads SMS messages.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fbdbddd7-4980-4061-9192-24a887bc6bad", "created": "2020-12-07T14:28:32.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:23.559Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can open a SOCKS proxy connection through the compromised device.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7", "created": "2023-09-28T17:22:27.968Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:43.417Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can collect credentials using phishing overlays.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4", "created": "2019-09-03T19:45:48.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:43.623Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can obtain a list of installed applications.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fc3c2496-aef9-4924-82e7-716d5149db01", "created": "2025-09-24T16:02:56.574Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ZimperiumGupta_RatMilad_Oct2022", "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.", "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-24T16:02:56.574Z", "description": "[RatMilad](https://attack.mitre.org/software/S1241) has listed files and pictures on the device starting from `/mnt/sdcard/`.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "relationship_type": "uses", "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--fc742401-a8cd-4a97-8c50-045807c47581", "created": "2025-03-28T14:38:55.297Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:43.812Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has collected and exfiltrated files.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55", "created": "2023-03-03T16:23:56.031Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:44.005Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected the device UUID.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fc816ddc-199d-47b0-93af-c81305d0919f", "created": "2020-06-02T14:32:31.767Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:24.289Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.(Citation: Volexity Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fc8d747d-d6d0-4599-955b-325d8489e84c", "created": "2026-02-06T21:25:25.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric_Crocodilus_June2025", "description": "ThreatFabric. (2025, June 3). Crocodilus Mobile Malware: Evolving Fast, Going Global. Retrieved November 24, 2025.", "url": "https://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-02-06T21:25:25.950Z", "description": "[Crocodilus](https://attack.mitre.org/software/S9004) has used its AccessibilityLogging feature to collect user data, such as private keys of specific cryptocurrency wallets.(Citation: ThreatFabric_Crocodilus_June2025) ", "relationship_type": "uses", "source_ref": "malware--eed7b988-0279-4c4f-bfa9-d81f5444a04b", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--fcaf04f2-3944-44f9-898a-e3df3fcf30c7", "created": "2025-09-17T15:30:25.216Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-09-17T15:30:25.216Z", "description": "Access to accounts is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their accounts. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--fcb3a139-f644-45c9-8123-dfea0455143a", "created": "2019-08-09T17:56:05.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:24.565Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record video and take photos via front and rear cameras.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fcc42341-ec3a-4e24-a374-46bed72d061f", "created": "2021-10-01T14:42:49.191Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:24.778Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect data from messaging applications, including WhatsApp, Viber, and Facebook.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd", "created": "2020-06-26T14:55:13.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:44.827Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) registers for the `BOOT_COMPLETED` intent to auto-start after the device boots.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576", "created": "2020-09-14T14:13:45.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:25.269Z", "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is [Exodus](https://attack.mitre.org/software/S0405).(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901", "created": "2020-04-24T17:46:31.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:25.550Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java\u2019s `PBEWithMD5AndDES` algorithm.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394", "created": "2021-02-08T16:36:20.639Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:45.837Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has region-locked their malicious applications during their Operation BULL campaign.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1", "created": "2020-07-15T20:20:59.227Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:46.021Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access SMS messages.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea", "created": "2022-03-30T19:32:43.015Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:46.240Z", "description": "Attestation can detect rooted devices. Mobile security software can then use this information and take appropriate mitigation action. Attestation can detect rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fe1e9775-0923-4b8f-87d9-976fd1d3910a", "created": "2025-03-24T20:25:51.549Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/" }, { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:46.438Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has deleted media files and messenger-related files on the device.(Citation: Threatfabric LightSpy 2024) Additionally, [LightSpy](https://attack.mitre.org/software/S1185) has used the AppDelete plugin to remove multiple messaging applications, such as WeChat, QQ, Telegram, Line and Whatsapp.(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fe794ba6-42be-4d42-a16f-a41473874331", "created": "2022-03-30T15:08:13.679Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:46.633Z", "description": "Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fed0de7b-509f-445d-90b9-4b507214298b", "created": "2025-03-24T20:21:48.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:46.830Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has established auto-start execution during the system boot process.(Citation: Threatfabric LightSpy 2024) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938", "created": "2023-08-04T18:34:26.118Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:47.235Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate calendar information.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ff55feec-669d-4199-a05c-e8dfaebaaf8f", "created": "2023-10-10T15:33:57.463Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:47.436Z", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has masqueraded as popular apps, cracked games, and video players. (Citation: Microsoft MalLockerB)", "relationship_type": "uses", "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-NotCompatible", "description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:26.801Z", "description": "[NotCompatible](https://attack.mitre.org/software/S0299) has the capability to exploit systems on an enterprise network.(Citation: Lookout-NotCompatible)", "relationship_type": "uses", "source_ref": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ffc82546-f4da-4f47-88ec-b215edb1d695", "created": "2021-02-08T16:36:20.799Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-28T15:31:27.048Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:48.076Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) captures live recordings of the device's surroundings.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "type": "relationship", "id": "relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9", "created": "2020-04-08T15:51:25.149Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T21:52:48.285Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can download the device\u2019s contact list.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, { "modified": "2025-03-19T15:00:40.855Z", "name": "The MITRE Corporation", "identity_class": "organization", "type": "identity", "spec_version": "2.1", "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-06-01T00:00:00.000Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0" }, { "definition": { "statement": "Copyright 2015-2026, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." }, "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", "type": "marking-definition", "spec_version": "2.1", "created": "2017-06-01T00:00:00.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "definition_type": "statement" } ], "spec_version": "2.0" }