ATT&CK Changes Between v11.2 and v11.3

Key

Colors for description field
Added
Changed
Deleted

Additional formats

These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

This JSON file contains the machine readble output used to create this page: changelog.json

Techniques

mobile-attack

New Techniques

[T1626] Abuse Elevation Control Mechanism

Current version: 1.0

Description: Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.


[T1640] Account Access Removal

Current version: 1.0

Description: Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts.


[T1638] Adversary-in-the-Middle

Current version: 2.0

Description: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.


[T1521.002] Encrypted Channel: Asymmetric Cryptography

Current version: 1.0

Description: Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA. For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).


[T1481.002] Web Service: Bidirectional Communication

Current version: 1.0

Description: Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.


[T1624.001] Event Triggered Execution: Broadcast Receivers

Current version: 1.0

Description: Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. An intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. In addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. In Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)


[T1636.001] Protected User Data: Calendar Entries

Current version: 1.0

Description: Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. If the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user’s knowledge or approval.


[T1636.002] Protected User Data: Call Log

Current version: 1.0

Description: Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. If the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user’s knowledge or approval.


[T1632.001] Subvert Trust Controls: Code Signing Policy Modification

Current version: 1.0

Description: Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. Mobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.


[T1623] Command and Scripting Interpreter

Current version: 1.0

Description: Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java’s `Runtime` package. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.


[T1645] Compromise Client Software Binary

Current version: 1.0

Description: Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. Adversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device.


[T1474.002] Supply Chain Compromise: Compromise Hardware Supply Chain

Current version: 1.0

Description: Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system.


[T1474.001] Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Current version: 1.0

Description: Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)


[T1474.003] Supply Chain Compromise: Compromise Software Supply Chain

Current version: 1.0

Description: Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.


[T1636.003] Protected User Data: Contact List

Current version: 1.0

Description: Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. If the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user’s knowledge or approval.


[T1634] Credentials from Password Store

Current version: 1.0

Description: Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.


[T1641] Data Manipulation

Current version: 1.0

Description: Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.


[T1481.001] Web Service: Dead Drop Resolver

Current version: 1.0

Description: Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).


[T1626.001] Abuse Elevation Control Mechanism: Device Administrator Permissions

Current version: 1.0

Description: Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app. Device administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.


[T1629.002] Impair Defenses: Device Lockout

Current version: 1.0

Description: An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018) Prior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.(Citation: Android resetPassword)


[T1629.003] Impair Defenses: Disable or Modify Tools

Current version: 1.0

Description: Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.


[T1630.003] Indicator Removal on Host: Disguise Root/Jailbreak Indicators

Current version: 1.0

Description: An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)


[T1637.001] Dynamic Resolution: Domain Generation Algorithms

Current version: 1.0

Description: Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018) DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.


[T1637] Dynamic Resolution

Current version: 1.0

Description: Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.


[T1642] Endpoint Denial of Service

Current version: 1.0

Description: Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword) On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)


[T1624] Event Triggered Execution

Current version: 1.0

Description: Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim’s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.


[T1627] Execution Guardrails

Current version: 1.0

Description: Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019) Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.


[T1639] Exfiltration Over Alternative Protocol

Current version: 1.0

Description: Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels.


[T1646] Exfiltration Over C2 Channel

Current version: 1.0

Description: Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.


[T1639.001] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Current version: 1.0

Description: Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.


[T1630.002] Indicator Removal on Host: File Deletion

Current version: 1.0

Description: Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.


[T1417.002] Input Capture: GUI Input Capture

Current version: 1.0

Description: Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices) There are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) Additionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include: * Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background) * Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)


[T1643] Generate Traffic from Victim

Current version: 1.0

Description: Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well. If done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS


[T1627.001] Execution Guardrails: Geofencing

Current version: 1.0

Description: Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv) [Geofencing](https://attack.mitre.org/techniques/T1627/001) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. One method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1627/001) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include "Allow only while using the app", which will effectively prohibit background location collection. Similarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground. [Geofencing](https://attack.mitre.org/techniques/T1627/001) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.


[T1628] Hide Artifacts

Current version: 1.0

Description: Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application’s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.


[T1625] Hijack Execution Flow

Current version: 1.0

Description: Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. There are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.


[T1629] Impair Defenses

Current version: 1.0

Description: Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.


[T1430.002] Location Tracking: Impersonate SS7 Nodes

Current version: 1.0

Description: Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) By providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7)


[T1630] Indicator Removal on Host

Current version: 1.0

Description: Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.


[T1634.001] Credentials from Password Store: Keychain

Current version: 1.0

Description: Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)


[T1417.001] Input Capture: Keylogging

Current version: 1.0

Description: Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them. Some methods of keylogging include: * Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested. * Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. *Additional methods of keylogging may be possible if root access is available.


[T1481.003] Web Service: One-Way Communication

Current version: 1.0

Description: Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.


[T1644] Out of Band Data

Current version: 2.0

Description: Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. On Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. On iOS, there is no way to programmatically read push notifications.


[T1629.001] Impair Defenses: Prevent Application Removal

Current version: 1.0

Description: Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step. Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.


[T1631] Process Injection

Current version: 1.0

Description: Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. Both Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.


[T1636] Protected User Data

Current version: 1.0

Description: Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application’s manifest. On iOS, they must be included in the application’s `Info.plist` file. In almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. If the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user’s knowledge or approval.


[T1631.001] Process Injection: Ptrace System Calls

Current version: 1.0

Description: Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) Ptrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.


[T1430.001] Location Tracking: Remote Device Management Services

Current version: 1.0

Description: An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location)


[T1636.004] Protected User Data: SMS Messages

Current version: 1.0

Description: Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. If the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user’s knowledge or approval.


[T1418.001] Software Discovery: Security Software Discovery

Current version: 1.0

Description: Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions.


[T1406.002] Obfuscated Files or Information: Software Packing

Current version: 1.0

Description: Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Utilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.


[T1635] Steal Application Access Token

Current version: 1.0

Description: Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system “Open With” dialogue. Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.


[T1406.001] Obfuscated Files or Information: Steganography

Current version: 1.0

Description: Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.


[T1632] Subvert Trust Controls

Current version: 1.0

Description: Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert.


[T1628.001] Hide Artifacts: Suppress Application Icon

Current version: 1.0

Description: A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. This behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) Beginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)


[T1521.001] Encrypted Channel: Symmetric Cryptography

Current version: 1.0

Description: Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.


[T1633.001] Virtualization/Sandbox Evasion: System Checks

Current version: 1.0

Description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Hardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.


[T1625.001] Hijack Execution Flow: System Runtime API Hijacking

Current version: 1.0

Description: Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.


[T1641.001] Data Manipulation: Transmitted Data Manipulation

Current version: 1.0

Description: Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making. Manipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact. One method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10. Adversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control. [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)


[T1635.001] Steal Application Access Token: URI Hijacking

Current version: 1.0

Description: Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)


[T1630.001] Indicator Removal on Host: Uninstall Malicious Application

Current version: 1.0

Description: Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: * Abusing device owner permissions to perform silent uninstallation using device owner API calls. * Abusing root permissions to delete files from the filesystem. * Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.


[T1623.001] Command and Scripting Interpreter: Unix Shell

Current version: 1.0

Description: Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.


[T1628.002] Hide Artifacts: User Evasion

Current version: 1.0

Description: Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.


[T1633] Virtualization/Sandbox Evasion

Current version: 1.0

Description: Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. Adversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment.


[T1437.001] Application Layer Protocol: Web Protocols

Current version: 1.0

Description: Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. Web protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect.

Major Version Changes

[T1532] Archive Collected Data

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1Data is encrypted before being exfiltrated in order to hide t1Adversaries may compress and/or encrypt data that is collect
>the information that is being exfiltrated from detection or >ed prior to exfiltration. Compressing data can help to obfus
>to make the exfiltration less conspicuous upon inspection by>cate its contents and minimize use of network resources. Enc
> a defender. The encryption is performed by a utility, progr>ryption can be used to hide information that is being exfilt
>amming library, or custom algorithm on the data itself and i>rated from detection or make exfiltration less conspicuous u
>s considered separate from any encryption performed by the c>pon inspection by a defender.      Both compression and encr
>ommand and control or file transfer protocol. Common file fo>yption are done prior to exfiltration, and can be performed 
>rmats that can encrypt files are RAR and zip.>using a utility, programming library, or custom algorithm.  
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2019-10-10 15:00:44.181000+00:002022-04-01 15:01:02.140000+00:00
nameData EncryptedArchive Collected Data
descriptionData is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file formats that can encrypt files are RAR and zip.Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.
kill_chain_phases[0]['phase_name']exfiltrationcollection
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_detectionMany encryption mechanisms are built into standard application-accessible APIs, and are therefore undetectable to the end user.Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.
x_mitre_version1.02.0

[T1429] Audio Capture

Current version: 3.0

Version changed from: 2.0 → 3.0


Old Description
New Description
t1Adversaries may capture audio to collect information on a ust1Adversaries may capture audio to collect information by leve
>er of a mobile device using standard operating system APIs. >raging standard operating system APIs of a mobile device. Ex
>Adversaries may target audio information such as user conver>amples of audio information adversaries may target include u
>sations, surroundings, phone calls, or other sensitive infor>ser conversations, surroundings, phone calls, or other sensi
>mation.  Android and iOS, by default, requires that an appli>tive information.      Android and iOS, by default, require 
>cation request access to microphone devices from the user. I>that applications request device microphone access from the 
>n Android, applications must hold the <code>android.permissi>user.       On Android devices, applications must hold the `
>on.RECORD_AUDIO</code> permission to access the microphone a>RECORD_AUDIO` permission to access the microphone or the `CA
>nd the <code>android.permission.CAPTURE_AUDIO_OUTPUT</code> >PTURE_AUDIO_OUTPUT` permission to access audio output. Becau
>permission to access audio output such as speakers. Android >se Android does not allow third-party applications to hold t
>does not allow third-party applications to hold <code>androi>he `CAPTURE_AUDIO_OUTPUT` permission by default, only privil
>d.permission.CAPTURE_AUDIO_OUTPUT</code>, so audio output ca>eged applications, such as those distributed by Google or th
>n only be obtained by privileged applications (distributed b>e device vendor, can access audio output.(Citation: Android 
>y Google or the device vendor) or after a successful privile>Permissions) However, adversaries may be able to gain this a
>ge escalation attack. In iOS, applications must include the >ccess after successfully elevating their privileges. With th
>`NSMicrophoneUsageDescription` key in their `Info.plist` fil>e `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass th
>e.>e `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaR
 >ecorder.setAudioOutput`, allowing capture of both voice call
 > uplink and downlink.(Citation: Manifest.permission)      On
 > iOS devices, applications must include the `NSMicrophoneUsa
 >geDescription` key in their `Info.plist` file to access the 
 >microphone.(Citation: Requesting Auth-Media Capture)

New Mitigations:

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesAndroid Developers. (2022, March 17). Voice Call. Retrieved April 1, 2022.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1032
external_referencesAPP-19
values_changed
STIX FieldOld valueNew Value
modified2019-09-20 17:59:11.041000+00:002022-04-29 17:29:49.023000+00:00
nameCapture AudioAudio Capture
descriptionAdversaries may capture audio to collect information on a user of a mobile device using standard operating system APIs. Adversaries may target audio information such as user conversations, surroundings, phone calls, or other sensitive information. Android and iOS, by default, requires that an application request access to microphone devices from the user. In Android, applications must hold the android.permission.RECORD_AUDIO permission to access the microphone and the android.permission.CAPTURE_AUDIO_OUTPUT permission to access audio output such as speakers. Android does not allow third-party applications to hold android.permission.CAPTURE_AUDIO_OUTPUT, so audio output can only be obtained by privileged applications (distributed by Google or the device vendor) or after a successful privilege escalation attack. In iOS, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file.Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. Android and iOS, by default, require that applications request device microphone access from the user. On Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) On iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueManifest.permission
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.htmlhttps://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL
x_mitre_detectionOn both Android (6.0 and up) and iOS, the user can view which applications have permission to use the microphone through the device settings screen, and the user can choose to revoke the permissions.In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware) In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators) Android applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. In both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary.
x_mitre_version2.03.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Requesting Auth-Media Capture', 'description': 'Apple Developers. (n.d.). Requesting Authorization for Media Capture on iOS. Retrieved April 1, 2022.', 'url': 'https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios'}
external_references{'source_name': 'Android Permissions', 'description': 'Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.', 'url': 'https://developer.android.com/reference/android/Manifest.permission'}
external_references{'source_name': 'Android Privacy Indicators', 'description': 'Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.', 'url': 'https://source.android.com/devices/tech/config/privacy-indicators'}
external_references{'source_name': 'iOS Mic Spyware', 'description': 'ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.', 'url': 'https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html', 'external_id': 'APP-19'}

[T1398] Boot or Logon Initialization Scripts

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1If an adversary can escalate privileges, he or she may be abt1Adversaries may use scripts automatically executed at boot o
>le to use those privileges to place malicious code in the de>r logon initialization to establish persistence. Initializat
>vice kernel or other boot partition components, where the co>ion scripts are part of the underlying operating system and 
>de may evade detection, may persist after device resets, and>are not accessible to the user unless the device has been ro
> may not be removable by the device user. In some cases (e.g>oted or jailbroken. 
>., the Samsung Knox warranty bit as described under Detectio 
>n), the attack may be detected but could result in the devic 
>e being placed in a state that no longer allows certain func 
>tionality.  Many Android devices provide the ability to unlo 
>ck the bootloader for development purposes, but doing so int 
>roduces the potential ability for others to maliciously upda 
>te the kernel or other boot partition code.  If the bootload 
>er is not unlocked, it may still be possible to exploit devi 
>ce vulnerabilities to update the code. 

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesAndroid. (n.d.). Verified Boot. Retrieved December 21, 2016.
external_referencesAPP-27
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1001
external_referencesAPP-26
external_referencesSamsung. (n.d.). What is a Knox Warranty Bit and how is it triggered?. Retrieved December 21, 2016.
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-11 14:33:11.096000+00:00
nameModify OS Kernel or Boot PartitionBoot or Logon Initialization Scripts
descriptionIf an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality. Many Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code. If the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code.Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken.
kill_chain_phases[0]['phase_name']defense-evasionpersistence
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueAndroid-VerifiedBoot
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.htmlhttps://source.android.com/security/verifiedboot/
external_references[2]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.htmlhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html
external_references[2]['external_id']APP-27APP-26
external_references[3]['source_name']Samsung-KnoxWarrantyBitNIST Mobile Threat Catalogue
external_references[3]['url']https://www2.samsungknox.com/en/faq/what-knox-warranty-bit-and-how-it-triggeredhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html
x_mitre_detectionThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices. Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices. Samsung KNOX devices include a non-reversible Knox warranty bit fuse that is triggered "if a non-Knox kernel has been loaded on the device" (Citation: Samsung-KnoxWarrantyBit). If triggered, enterprise Knox container services will no longer be available on the device. As described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected. Many enterprise applications perform their own checks to detect and respond to compromised devices. These checks are not foolproof but can detect common signs of compromise.On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.
x_mitre_version1.02.0
iterable_item_removed
STIX FieldOld valueNew Value
kill_chain_phases{'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'persistence'}
external_references{'source_name': 'Apple-iOSSecurityGuide', 'description': 'Apple. (2016, May). iOS Security. Retrieved December 21, 2016.', 'url': 'https://www.apple.com/business/docs/iOS_Security_Guide.pdf'}

[T1414] Clipboard Data

Current version: 3.0

Version changed from: 2.0 → 3.0


Old Description
New Description
t1Adversaries may abuse Clipboard Manager APIs to obtain sensit1Adversaries may abuse clipboard manager APIs to obtain sensi
>tive information copied to the global clipboard. For example>tive information copied to the device clipboard. For example
>, passwords being copy-and-pasted from a password manager ap>, passwords being copied and pasted from a password manager 
>p could be captured by another application installed on the >application could be captured by a malicious application ins
>device.(Citation: Fahl-Clipboard)  On Android, <code>Clipboa>talled on the device.(Citation: Fahl-Clipboard)      On Andr
>rdManager.OnPrimaryClipChangedListener</code> can be used by>oid, applications can use the `ClipboardManager.OnPrimaryCli
> applications to register as a listener and monitor the clip>pChangedListener()` API to register as a listener and monito
>board for changes.(Citation: Github Capture Clipboard 2019) >r the clipboard for changes. However, starting in Android 10
> Android 10 mitigates this technique by preventing applicati>, this can only be used if the application is in the foregro
>ons from accessing clipboard data unless the application is >und, or is set as the device’s default input method editor (
>on the foreground or is set as the device’s default input me>IME).(Citation: Github Capture Clipboard 2019)(Citation: And
>thod editor (IME).(Citation: Android 10 Privacy Changes)>roid 10 Privacy Changes)      On iOS, this can be accomplish
 >ed by accessing the `UIPasteboard.general.string` field. How
 >ever, starting in iOS 14, upon accessing the clipboard, the 
 >user will be shown a system notification if the accessed tex
 >t originated in a different application. For example, if the
 > user copies the text of an iMessage from the Messages appli
 >cation, the notification will read “application_name has pas
 >ted from Messages” when the text was pasted in a different a
 >pplication.(Citation: UIPPasteboard)

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesAndroid Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1017
external_referencesAPP-35
values_changed
STIX FieldOld valueNew Value
modified2019-09-13 20:46:26.223000+00:002022-04-19 19:29:45.323000+00:00
nameCapture Clipboard DataClipboard Data
descriptionAdversaries may abuse Clipboard Manager APIs to obtain sensitive information copied to the global clipboard. For example, passwords being copy-and-pasted from a password manager app could be captured by another application installed on the device.(Citation: Fahl-Clipboard) On Android, ClipboardManager.OnPrimaryClipChangedListener can be used by applications to register as a listener and monitor the clipboard for changes.(Citation: Github Capture Clipboard 2019) Android 10 mitigates this technique by preventing applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).(Citation: Android 10 Privacy Changes)Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) On Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) On iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.(Citation: UIPPasteboard)
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueAndroid 10 Privacy Changes
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.htmlhttps://developer.android.com/about/versions/10/privacy/changes#clipboard-data
external_references[2]['source_name']Fahl-ClipboardUIPPasteboard
external_references[2]['description']Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved August 27, 2019.Apple Developer. (n.d.). UIPasteboard. Retrieved April 1, 2022.
external_references[2]['url']http://saschafahl.de/static/paper/pwmanagers2013.pdfhttps://developer.apple.com/documentation/uikit/uipasteboard
external_references[3]['source_name']Github Capture Clipboard 2019Fahl-Clipboard
external_references[3]['description']Pearce, G. (, January). Retrieved August 8, 2019.Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved August 27, 2019.
external_references[3]['url']https://github.com/grepx/android-clipboard-securityhttp://saschafahl.de/static/paper/pwmanagers2013.pdf
external_references[4]['source_name']Android 10 Privacy ChangesGithub Capture Clipboard 2019
external_references[4]['description']Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.Pearce, G. (, January). Retrieved August 8, 2019.
external_references[4]['url']https://developer.android.com/about/versions/10/privacy/changes#clipboard-datahttps://github.com/grepx/android-clipboard-security
x_mitre_detectionCapturing clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.Application vetting services could detect usage of standard clipboard APIs.
x_mitre_version2.03.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html', 'external_id': 'APP-35'}

[T1456] Drive-By Compromise

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1As described by [Drive-by Compromise](https://attack.mitre.ot1Adversaries may gain access to a system through a user visit
>rg/techniques/T1189), a drive-by compromise is when an adver>ing a website over the normal course of browsing. With this 
>sary gains access to a system through a user visiting a webs>technique, the user's web browser is typically targeted for 
>ite over the normal course of browsing. With this technique,>exploitation, but adversaries may also use compromised websi
> the user's web browser is targeted for exploitation. For ex>tes for non-exploitation behavior such as acquiring an [Appl
>ample, a website may contain malicious media content intende>ication Access Token](https://attack.mitre.org/techniques/T1
>d to exploit vulnerabilities in media parsers as demonstrate>550/001).  Multiple ways of delivering exploit code to a bro
>d by the Android Stagefright vulnerability  (Citation: Zimpe>wser exist, including:  * A legitimate website is compromise
>rium-Stagefright).  (This technique was formerly known as Ma>d where adversaries have injected some form of malicious cod
>licious Web Content. It has been renamed to better align wit>e such as JavaScript, iFrames, and cross-site scripting. * M
>h ATT&CK for Enterprise.)>alicious ads are paid for and served through legitimate ad p
 >roviders. * Built-in web application interfaces are leverage
 >d for the insertion of any other kind of object that can be 
 >used to display web content or contain a script that execute
 >s on the visiting client (e.g. forum posts, comments, and ot
 >her user controllable web content).  Often the website used 
 >by an adversary is one visited by a specific community, such
 > as government, a particular industry, or region, where the 
 >goal is to compromise a specific user or set of users based 
 >on a shared interest. This kind of targeted attack is referr
 >ed to a strategic web compromise or watering hole attack. Th
 >ere are several known examples of this occurring.(Citation: 
 >Lookout-StealthMango)  Typical drive-by compromise process: 
 > 1. A user visits a website that is used to host the adversa
 >ry controlled content. 2. Scripts automatically execute, typ
 >ically searching versions of the browser and plugins for a p
 >otentially vulnerable version.      * The user may be requir
 >ed to assist in this process by enabling scripting or active
 > website components and ignoring warning dialog boxes. 3. Up
 >on finding a vulnerable version, exploit code is delivered t
 >o the browser. 4. If exploitation is successful, then it wil
 >l give the adversary code execution on the user's system unl
 >ess other protections are in place.     * In some cases a se
 >cond visit to the website after the initial scan is required
 > before exploit code is delivered.

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionMobile security products can often alert the user if their device is vulnerable to known exploits.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesLookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.
external_referencesCEL-22
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1059
external_referencesCEL-22
external_referencesZimperium. (2015, January 27). Experts Found a Unicorn in the Heart of Android. Retrieved December 23, 2016.
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-19 15:32:30.837000+00:00
nameDrive-by CompromiseDrive-By Compromise
descriptionAs described by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright). (This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Multiple ways of delivering exploit code to a browser exist, including: * A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting. * Malicious ads are paid for and served through legitimate ad providers. * Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content). Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango) Typical drive-by compromise process: 1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place. * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueLookout-StealthMango
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.htmlhttps://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf
external_references[2]['source_name']Zimperium-StagefrightNIST Mobile Threat Catalogue
external_references[2]['url']https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html
x_mitre_version1.02.0

[T1521] Encrypted Channel

Current version: 2.0

Version changed from: 1.0 → 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2019-10-01 14:18:47.762000+00:002022-04-05 20:11:35.852000+00:00
nameStandard Cryptographic ProtocolEncrypted Channel
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_detectionSince data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is undetectable to the user.Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.
x_mitre_version1.02.0

[T1404] Exploitation for Privilege Escalation

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1A malicious app can exploit unpatched vulnerabilities in thet1Adversaries may exploit software vulnerabilities in order to
> operating system to obtain escalated privileges.> to elevate privileges. Exploitation of a software vulnerabi
 >lity occurs when an adversary takes advantage of a programmi
 >ng error in an application, service, within the operating sy
 >stem software, or kernel itself to execute adversary-control
 >led code. Security constructions, such as permission levels,
 > will often hinder access to information and use of certain 
 >techniques. Adversaries will likely need to perform privileg
 >e escalation to include use of software exploitation to circ
 >umvent those restrictions.   When initially gaining access t
 >o a device, an adversary may be operating within a lower pri
 >vileged process which will prevent them from accessing certa
 >in resources on the system. Vulnerabilities may exist, usual
 >ly in operating system components and applications running a
 >t higher permissions, that can be exploited to gain higher l
 >evels of access on the system. This could enable someone to 
 >move from unprivileged or user- level permission to root per
 >missions depending on the component that is vulnerable. 

New Mitigations:

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionMobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1007
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-03-30 15:51:08.258000+00:00
nameExploit OS VulnerabilityExploitation for Privilege Escalation
descriptionA malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version1.02.0

[T1541] Foreground Persistence

Current version: 2.0

Version changed from: 1.0 → 2.0

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesGoogle. (n.d.). Sensors Overview. Retrieved November 19, 2019.
external_referencesAPP-19
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesAPP-19
external_referencesSong Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.
values_changed
STIX FieldOld valueNew Value
modified2019-12-26 16:14:33.302000+00:002022-04-08 15:38:03.160000+00:00
kill_chain_phases[0]['phase_name']collectiondefense-evasion
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueAndroid-SensorsOverview
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.htmlhttps://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices
external_references[2]['source_name']Android-SensorsOverviewAndroid-ForegroundServices
external_references[2]['description']Google. (n.d.). Sensors Overview. Retrieved November 19, 2019.Google. (n.d.). Services overview. Retrieved November 19, 2019.
external_references[2]['url']https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practiceshttps://developer.android.com/guide/components/services.html#Foreground
external_references[3]['source_name']Android-ForegroundServicesTrendMicro-Yellow Camera
external_references[3]['description']Google. (n.d.). Services overview. Retrieved November 19, 2019.Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.
external_references[3]['url']https://developer.android.com/guide/components/services.html#Foregroundhttps://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/
external_references[5]['source_name']TrendMicro-Yellow CameraNIST Mobile Threat Catalogue
external_references[5]['url']https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html
x_mitre_detectionUsers can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.
x_mitre_version1.02.0

[T1544] Ingress Tool Transfer

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1Files may be copied from one system to another to stage advet1Adversaries may transfer tools or other files from an extern
>rsary tools or other files over the course of an operation. >al system onto a compromised device to facilitate follow-on 
>Files may be copied from an external adversary-controlled sy>actions. Files may be copied from an external adversary-cont
>stem through the Command and Control channel to bring tools >rolled system through the command and control channel  or th
>into the victim network or onto the victim’s device.>rough alternate protocols with another tool such as FTP.

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2020-01-21 15:27:30.182000+00:002022-04-06 14:46:25.107000+00:00
nameRemote File CopyIngress Tool Transfer
descriptionFiles may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or onto the victim’s device.Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_detectionDownloading remote files is common application behavior and is therefore typically undetectable to the end user.Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.
x_mitre_version1.02.0

[T1575] Native API

Current version: 2.0

Version changed from: 1.0 → 2.0

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2020-04-28 18:34:15.373000+00:002022-04-08 15:46:24.495000+00:00
nameNative CodeNative API
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version1.02.0

[T1509] Non-Standard Port

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1Adversaries may use non-standard ports to exfiltrate informat1Adversaries may generate network traffic using a protocol an
>tion.>d port paring that are typically not associated. For example
 >, HTTPS over port 8088 or port 587 as opposed to the traditi
 >onal port 443. Adversaries may make changes to the standard 
 >port used by a protocol to bypass filtering or muddle analys
 >is/parsing of network data.

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2019-09-11 13:27:50.344000+00:002022-04-06 14:50:16.409000+00:00
nameUncommonly Used PortNon-Standard Port
descriptionAdversaries may use non-standard ports to exfiltrate information.Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_detectionDetection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.
x_mitre_version1.02.0

[T1406] Obfuscated Files or Information

Current version: 3.0

Version changed from: 2.0 → 3.0


Old Description
New Description
t1An app could contain malicious code in obfuscated or encryptt1Adversaries may attempt to make a payload or file difficult 
>ed form, then deobfuscate or decrypt the code at runtime to >to discover or analyze by encrypting, encoding, or otherwise
>evade many app vetting techniques.(Citation: Rastogi) (Citat> obfuscating its contents on the device or in transit. This 
>ion: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS)>is common behavior that can be used across different platfor
 >ms and the network to evade defenses.    Payloads may be com
 >pressed, archived, or encrypted in order to avoid detection.
 > These payloads may be used during Initial Access or later t
 >o mitigate detection. Portions of files can also be encoded 
 >to hide the plaintext strings that would otherwise help defe
 >nders with discovery. Payloads may also be split into separa
 >te, seemingly benign files that only reveal malicious functi
 >onality when reassembled.(Citation: Microsoft MalLockerB) 

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesD. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.
external_referencesAPP-21
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1009
external_referencesAPP-21
external_referencesVaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-09-23 13:26:01.263000+00:002022-04-06 12:36:31.652000+00:00
descriptionAn app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques.(Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS)Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB)
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueMicrosoft MalLockerB
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.htmlhttps://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/
external_references[2]['source_name']RastogiNIST Mobile Threat Catalogue
external_references[2]['url']http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdfhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html
x_mitre_detectionMalicious obfuscation of files or information can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.
x_mitre_version2.03.0
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Zhou', 'description': 'Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.', 'url': 'http://ieeexplore.ieee.org/document/6234407'}
external_references{'source_name': 'TrendMicro-Obad', 'description': 'Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.', 'url': 'http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/'}
external_references{'source_name': 'Xiao-iOS', 'description': 'Claud Xiao. (2016, July). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved December 9, 2016.', 'url': 'http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao'}

[T1424] Process Discovery

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1On Android versions prior to 5, applications can observe inft1Adversaries may attempt to get information about running pro
>ormation about other processes that are running through meth>cesses on a device. Information obtained could be used to ga
>ods in the ActivityManager class. On Android versions prior >in an understanding of common software/applications running 
>to 7, applications can obtain this information by executing >on devices within a network. Adversaries may use the informa
>the <code>ps</code> command, or by examining the <code>/proc>tion from [Process Discovery](https://attack.mitre.org/techn
></code> directory. Starting in Android version 7, use of the>iques/T1424) during automated discovery to shape follow-on b
> Linux kernel's <code>hidepid</code> feature prevents applic>ehaviors, including whether or not the adversary fully infec
>ations (without escalated privileges) from accessing this in>ts the target and/or attempts specific actions.      Recent 
>formation (Citation: Android-SELinuxChanges).>Android security enhancements have made it more difficult to
 > obtain a list of running processes. On Android 7 and later,
 > there is no way for an application to obtain the process li
 >st without abusing elevated privileges. This is due to the A
 >ndroid kernel utilizing the `hidepid` mount feature. Prior t
 >o Android 7, applications could utilize the `ps` command or 
 >examine the `/proc` directory on the device.(Citation: Andro
 >id-SELinuxChanges)      In iOS, applications have previously
 > been able to use the `sysctl` command to obtain a list of r
 >unning processes. This functionality has been removed in lat
 >er iOS versions. 

New Mitigations:

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionMobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1027
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-03-30 20:32:19.942000+00:00
descriptionOn Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Recent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) In iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version1.02.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsiOS

[T1458] Replication Through Removable Media

Current version: 2.0

Version changed from: 1.1 → 2.0


Old Description
New Description
t1If the mobile device is connected (typically via USB) to a ct1Adversaries may move onto devices by exploiting or copying m
>harging station or a PC, for example to charge the device's >alware to devices connected via USB. In the case of Lateral 
>battery, then a compromised or malicious charging station or>Movement, adversaries may utilize the physical connection of
> PC could attempt to exploit the mobile device via the conne> a device to a compromised or malicious charging station or 
>ction(Citation: Krebs-JuiceJacking).  Previous demonstration>PC to bypass application store requirements and install mali
>s have included:  * Injecting malicious applications into iO>cious applications directly.(Citation: Lau-Mactans) In the c
>S devices(Citation: Lau-Mactans). * Exploiting a Nexus 6 or >ase of Initial Access, adversaries may attempt to exploit th
>6P device over USB and gaining the ability to perform action>e device via the connection to gain access to data stored on
>s including intercepting phone calls, intercepting network t> the device.(Citation: Krebs-JuiceJacking) Examples of this 
>raffic, and obtaining the device physical location(Citation:>include:    * Exploiting insecure bootloaders in a Nexus 6 o
> IBM-NexusUSB). * Exploiting Android devices such as the Goo>r 6P device over USB and gaining the ability to perform acti
>gle Pixel 2 over USB(Citation: GoogleProjectZero-OATmeal).  >ons including intercepting phone calls, intercepting network
>Products from Cellebrite and Grayshift purportedly can use p> traffic, and obtaining the device physical location.(Citati
>hysical access to the data port to unlock the passcode on so>on: IBM-NexusUSB)  * Exploiting weakly-enforced security bou
>me iOS devices(Citation: Computerworld-iPhoneCracking).>ndaries in Android devices such as the Google Pixel 2 over U
 >SB.(Citation: GoogleProjectZero-OATmeal)  * Products from Ce
 >llebrite and Grayshift purportedly that can exploit some iOS
 > devices using physical access to the data port to unlock th
 >e passcode.(Citation: Computerworld-iPhoneCracking) 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesBrian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.
external_referencesPHY-1
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1061
external_referencesPHY-1
external_referencesLucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved September 21, 2018.
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 15:10:41.460000+00:002022-04-08 15:53:11.864000+00:00
nameExploit via Charging Station or PCReplication Through Removable Media
descriptionIf the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection(Citation: Krebs-JuiceJacking). Previous demonstrations have included: * Injecting malicious applications into iOS devices(Citation: Lau-Mactans). * Exploiting a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location(Citation: IBM-NexusUSB). * Exploiting Android devices such as the Google Pixel 2 over USB(Citation: GoogleProjectZero-OATmeal). Products from Cellebrite and Grayshift purportedly can use physical access to the data port to unlock the passcode on some iOS devices(Citation: Computerworld-iPhoneCracking).Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: * Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) * Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) * Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking)
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueKrebs-JuiceJacking
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.htmlhttp://krebsonsecurity.com/2011/08/beware-of-juice-jacking/
external_references[2]['source_name']Krebs-JuiceJackingGoogleProjectZero-OATmeal
external_references[2]['description']Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018.
external_references[2]['url']http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html
external_references[4]['source_name']IBM-NexusUSBComputerworld-iPhoneCracking
external_references[4]['description']Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved September 21, 2018.
external_references[4]['url']https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html
external_references[5]['source_name']GoogleProjectZero-OATmealIBM-NexusUSB
external_references[5]['description']Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018.Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.
external_references[5]['url']https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.htmlhttps://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/
external_references[6]['source_name']Computerworld-iPhoneCrackingNIST Mobile Threat Catalogue
external_references[6]['url']https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.htmlhttps://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html
x_mitre_version1.12.0
iterable_item_added
STIX FieldOld valueNew Value
kill_chain_phases{'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'lateral-movement'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html', 'external_id': 'PHY-2'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html', 'external_id': 'STA-6'}

[T1418] Software Discovery

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1Adversaries may seek to identify all applications installed t1Adversaries may attempt to get a listing of applications tha
>on the device. One use case for doing so is to identify the >t are installed on a device. Adversaries may use the informa
>presence of endpoint security applications that may increase>tion from [Software Discovery](https://attack.mitre.org/tech
> the adversary's risk of detection. Another use case is to i>niques/T1418) during automated discovery to shape follow-on 
>dentify the presence of applications that the adversary may >behaviors, including whether or not to fully infect the targ
>wish to target.  On Android, applications can use methods in>et and/or attempts specific actions.      Adversaries may at
> the PackageManager class (Citation: Android-PackageManager)>tempt to enumerate applications for a variety of reasons, su
> to enumerate other apps installed on device, or an entity w>ch as figuring out what security measures are present or to 
>ith shell access can use the pm command line tool.  On iOS, >identify the presence of target applications. 
>apps can use private API calls to obtain a list of other app 
>s installed on the device. (Citation: Kurtz-MaliciousiOSApps 
>) However, use of private API calls will likely prevent the  
>application from being distributed through Apple's App Store 
>. 

New Mitigations:

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionApplication vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesAPP-12
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1021
external_referencesAndroid. (n.d.). PackageManager. Retrieved December 21, 2016.
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-03-30 20:41:40.719000+00:00
nameApplication DiscoverySoftware Discovery
descriptionAdversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target. On Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool. On iOS, apps can use private API calls to obtain a list of other apps installed on the device. (Citation: Kurtz-MaliciousiOSApps) However, use of private API calls will likely prevent the application from being distributed through Apple's App Store.Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. Adversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications.
kill_chain_phases[0]['phase_name']defense-evasiondiscovery
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']Android-PackageManagerNIST Mobile Threat Catalogue
external_references[1]['url']https://developer.android.com/reference/android/content/pm/PackageManager.htmlhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html
x_mitre_version1.02.0
iterable_item_removed
STIX FieldOld valueNew Value
kill_chain_phases{'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'discovery'}
external_references{'source_name': 'Kurtz-MaliciousiOSApps', 'description': 'Andreas Kurtz. (2014, September 18). Malicious iOS Apps. Retrieved December 21, 2016.', 'url': 'https://andreas-kurtz.de/2014/09/malicious-ios-apps/'}

[T1409] Stored Application Data

Current version: 3.0

Version changed from: 2.0 → 3.0


Old Description
New Description
t1Adversaries may access and collect application data residentt1Adversaries may try to access and collect application data r
> on the device. Adversaries often target popular application>esident on the device. Adversaries often target popular appl
>s such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus >ications, such as Facebook, WeChat, and Gmail.(Citation: SWB
>March 2019)  This technique requires either escalated privil> Exodus March 2019)      Due to mobile OS sandboxing, this t
>eges or for the targeted app to have stored the data in an i>echnique is only possible in three scenarios:      * An appl
>nsecure manner (e.g., with insecure file permissions or in a>ication stores files in unprotected external storage  * An a
>n insecure location such as an external storage directory).>pplication stores files in its internal storage directory wi
 >th insecure permissions (e.g. 777)  * The adversary gains ro
 >ot permissions on the device 

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesSecurity Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.
external_referencesAUT-0
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1012
external_referencesAUT-0
external_referencesSecurity Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.
values_changed
STIX FieldOld valueNew Value
modified2019-10-10 14:17:48.920000+00:002022-04-11 19:41:54.022000+00:00
nameAccess Stored Application DataStored Application Data
descriptionAdversaries may access and collect application data resident on the device. Adversaries often target popular applications such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) Due to mobile OS sandboxing, this technique is only possible in three scenarios: * An application stores files in unprotected external storage * An application stores files in its internal storage directory with insecure permissions (e.g. 777) * The adversary gains root permissions on the device
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueSWB Exodus March 2019
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.htmlhttps://securitywithoutborders.org/blog/2019/03/29/exodus.html
external_references[2]['source_name']SWB Exodus March 2019NIST Mobile Threat Catalogue
external_references[2]['url']https://securitywithoutborders.org/blog/2019/03/29/exodus.htmlhttps://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html
x_mitre_detectionAccessing stored application data can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.
x_mitre_version2.03.0
iterable_item_removed
STIX FieldOld valueNew Value
kill_chain_phases{'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'credential-access'}

[T1474] Supply Chain Compromise

Current version: 2.0

Version changed from: 1.1 → 2.0


Old Description
New Description
t1As further described in [Supply Chain Compromise](https://att1Adversaries may manipulate products or product delivery mech
>tack.mitre.org/techniques/T1195), supply chain compromise is>anisms prior to receipt by a final consumer for the purpose 
> the manipulation of products or product delivery mechanisms>of data or system compromise.  Supply chain compromise can t
> prior to receipt by a final consumer for the purpose of dat>ake place at any stage of the supply chain including:  * Man
>a or system compromise. Somewhat related, adversaries could >ipulation of development tools * Manipulation of a developme
>also identify and exploit inadvertently present vulnerabilit>nt environment * Manipulation of source code repositories (p
>ies. In many cases, it may be difficult to be certain whethe>ublic or private) * Manipulation of source code in open-sour
>r exploitable functionality is due to malicious intent or si>ce dependencies * Manipulation of software update/distributi
>mply inadvertent mistake.  Third-party libraries incorporate>on mechanisms * Compromised/infected system images * Replace
>d into mobile apps could contain malicious behavior, privacy>ment of legitimate software with modified versions * Sales o
>-invasive behavior, or exploitable vulnerabilities. An adver>f modified/counterfeit products to legitimate distributors *
>sary could deliberately insert malicious behavior or could e> Shipment interdiction  While supply chain compromise can im
>xploit inadvertent vulnerabilities. For example, security is>pact any component of hardware or software, attackers lookin
>sues have previously been identified in third-party advertis>g to gain execution have often focused on malicious addition
>ing libraries incorporated into apps.(Citation: NowSecure-Re>s to legitimate software in software distribution or update 
>moteCode)(Citation: Grace-Advertisement).>channels. Targeting may be specific to a desired victim set 
 >or malicious software may be distributed to a broad set of c
 >onsumers but only move on to additional tactics on specific 
 >victims.  Popular open source projects that are used as depe
 >ndencies in many applications may also be targeted as a mean
 >s to add malicious code to users of the dependency, specific
 >ally with the widespread usage of third-party advertising li
 >braries.(Citation: Grace-Advertisement)(Citation: NowSecure-
 >RemoteCode)

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesM. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.
external_referencesAPP-6
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1077
external_referencesAPP-6
external_referencesM. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.
values_changed
STIX FieldOld valueNew Value
modified2021-03-10 21:06:37.536000+00:002022-03-28 19:41:56.018000+00:00
descriptionAs further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake. Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, security issues have previously been identified in third-party advertising libraries incorporated into apps.(Citation: NowSecure-RemoteCode)(Citation: Grace-Advertisement).Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: * Manipulation of development tools * Manipulation of a development environment * Manipulation of source code repositories (public or private) * Manipulation of source code in open-source dependencies * Manipulation of software update/distribution mechanisms * Compromised/infected system images * Replacement of legitimate software with modified versions * Sales of modified/counterfeit products to legitimate distributors * Shipment interdiction While supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueGrace-Advertisement
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.htmlhttps://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf
external_references[3]['source_name']Grace-AdvertisementNIST Mobile Threat Catalogue
external_references[3]['url']https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdfhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html
x_mitre_detection* Insecure third-party libraries could be detected by application vetting techniques. For example, Google's [App Security Improvement Program](https://developer.android.com/google/play/asi) detects the use of third-party libraries with known vulnerabilities within Android apps submitted to the Google Play Store. * Malicious software development tools could be detected by enterprises deploying integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.
x_mitre_version1.12.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html', 'external_id': 'SPC-0'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html', 'external_id': 'SPC-1'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html', 'external_id': 'SPC-2'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html', 'external_id': 'SPC-3'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html', 'external_id': 'SPC-4'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html', 'external_id': 'SPC-5'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html', 'external_id': 'SPC-6'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html', 'external_id': 'SPC-7'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html', 'external_id': 'SPC-8'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html', 'external_id': 'SPC-9'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html', 'external_id': 'SPC-10'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html', 'external_id': 'SPC-11'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html', 'external_id': 'SPC-12'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html', 'external_id': 'SPC-13'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-14.html', 'external_id': 'SPC-14'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html', 'external_id': 'SPC-15'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html', 'external_id': 'SPC-16'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html', 'external_id': 'SPC-17'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html', 'external_id': 'SPC-18'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-19.html', 'external_id': 'SPC-19'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html', 'external_id': 'SPC-20'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html', 'external_id': 'SPC-21'}

[T1512] Video Capture

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1Adversaries may utilize the camera to capture information abt1An adversary can leverage a device’s cameras to gather infor
>out the user, their surroundings, or other physical identifi>mation by capturing video recordings. Images may also be cap
>ers. Adversaries may use the physical camera devices on a mo>tured, potentially in specified intervals, in lieu of video 
>bile device to capture images or video. By default, in Andro>files.       Malware or scripts may interact with the device
>id and iOS, an application must request permission to access> cameras through an available API provided by the operating 
> a camera device which is granted by the user through a requ>system. Video or image files may be written to disk and exfi
>est prompt. In Android, applications must hold the `android.>ltrated later. This technique differs from [Screen Capture](
>permission.CAMERA` permission to access the camera. In iOS, >https://attack.mitre.org/techniques/T1513) due to use of the
>applications must include the `NSCameraUsageDescription` key> device’s cameras for video recording rather than capturing 
> in the `Info.plist` file, and must request access to the ca>the victim’s screen.      In Android, an application must ho
>mera at runtime.>ld the `android.permission.CAMERA` permission to access the 
 >cameras. In iOS, applications must include the `NSCameraUsag
 >eDescription` key in the `Info.plist` file. In both cases, t
 >he user must grant permission to the requesting application 
 >to use the camera. If the device has been rooted or jailbrok
 >en, an adversary may be able to access the camera without kn
 >owledge of the user.  

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2019-09-12 18:33:15.023000+00:002022-04-08 15:58:43.813000+00:00
nameCapture CameraVideo Capture
descriptionAdversaries may utilize the camera to capture information about the user, their surroundings, or other physical identifiers. Adversaries may use the physical camera devices on a mobile device to capture images or video. By default, in Android and iOS, an application must request permission to access a camera device which is granted by the user through a request prompt. In Android, applications must hold the `android.permission.CAMERA` permission to access the camera. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file, and must request access to the camera at runtime.An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files. Malware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device’s cameras for video recording rather than capturing the victim’s screen. In Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_detectionOn Android and iOS, the user can view which applications have permission to use the camera through the device settings screen, and the user can choose to revoke the permissions.The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny.
x_mitre_version1.02.0
Minor Version Changes

[T1517] Access Notifications

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1A malicious application can read notifications sent by the ot1Adversaries may collect data within notifications sent by th
>perating system or other applications, which may contain sen>e operating system or other applications. Notifications may 
>sitive data such as one-time authentication codes sent over >contain sensitive data such as one-time authentication codes
>SMS, email, or other mediums. A malicious application can al> sent over SMS, email, or other mediums. In the case of Cred
>so dismiss notifications to prevent the user from noticing t>ential Access, adversaries may attempt to intercept one-time
>hat the notifications arrived and can trigger action buttons> code sent to the device. Adversaries can also dismiss notif
> contained within notifications.(Citation: ESET 2FA Bypass)>ications to prevent the user from noticing that the notifica
 >tion has arrived and can trigger action buttons contained wi
 >thin notifications.(Citation: ESET 2FA Bypass) 

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_contributors['Lukáš Štefanko, ESET']
values_changed
STIX FieldOld valueNew Value
modified2020-07-09 14:07:02.217000+00:002022-04-11 15:54:08.965000+00:00
descriptionA malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass)Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass)
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_detectionThe user can inspect (and modify) the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access).Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access).
x_mitre_version1.01.1

[T1437] Application Layer Protocol

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may communicate using a common, standardized appt1Adversaries may communicate using application layer protocol
>lication layer protocol such as HTTP, HTTPS, SMTP, or DNS to>s to avoid detection/network filtering by blending in with e
> avoid detection by blending in with existing traffic.  In t>xisting traffic. Commands to the mobile device, and often th
>he mobile environment, the Google Cloud Messaging (GCM; two->e results of those commands, will be embedded within the pro
>way) and Apple Push Notification Service (APNS; one-way serv>tocol traffic between the mobile device and server.   Advers
>er-to-device) are commonly used protocols on Android and iOS>aries may utilize many different protocols, including those 
> respectively that would blend in with routine device traffi>used for web browsing, transferring files, electronic mail, 
>c and are difficult for enterprises to inspect. Google repor>or DNS.
>tedly responds to reports of abuse by blocking access to GCM 
>.(Citation: Kaspersky-MobileMalware) 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionAbuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1040
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 14:52:45.266000+00:002022-04-19 20:03:51.831000+00:00
nameStandard Application Layer ProtocolApplication Layer Protocol
descriptionAdversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. In the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.(Citation: Kaspersky-MobileMalware)Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version1.11.2
iterable_item_removed
STIX FieldOld valueNew Value
kill_chain_phases{'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'exfiltration'}
external_references{'source_name': 'Kaspersky-MobileMalware', 'description': 'Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.', 'url': 'https://securelist.com/mobile-malware-evolution-2013/58335/'}

[T1471] Data Encrypted for Impact

Current version: 3.1

Version changed from: 3.0 → 3.1


Old Description
New Description
t1An adversary may encrypt files stored on the mobile device tt1An adversary may encrypt files stored on a mobile device to 
>o prevent the user from accessing them, for example with the>prevent the user from accessing them. This may be done in or
> intent of only unlocking access to the files after a ransom>der to extract monetary compensation from a victim in exchan
> is paid. Without escalated privileges, the adversary is gen>ge for decryption or a decryption key (ransomware) or to ren
>erally limited to only encrypting files in external/shared s>der data permanently inaccessible in cases where the key is 
>torage locations. This technique has been demonstrated on An>not saved or transmitted.
>droid. We are unaware of any demonstrated use on iOS. 

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionApplication vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1074
values_changed
STIX FieldOld valueNew Value
modified2019-10-01 13:51:22.001000+00:002022-04-06 13:31:22.485000+00:00
descriptionAn adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS.An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version3.03.1

[T1533] Data from Local System

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Sensitive data can be collected from local system sources, st1Adversaries may search local system sources, such as file sy
>uch as the file system or databases of information residing >stems or local databases, to find files of interest and sens
>on the system.  Local system data includes information store>itive data prior to exfiltration.       Access to local syst
>d by the operating system. Access to local system data often>em data, which includes information stored by the operating 
> requires escalated privileges (e.g. root access). Examples >system, often requires escalated privileges. Examples of loc
>of local system data include authentication tokens, the devi>al system data include authentication tokens, the device key
>ce keyboard cache, Wi-Fi passwords, and photos.>board cache, Wi-Fi passwords, and photos. On Android, advers
 >aries may also attempt to access files from external storage
 > which may require additional storage-related permissions.  
 >  
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2019-10-11 14:53:38.987000+00:002022-04-01 16:53:27.576000+00:00
descriptionSensitive data can be collected from local system sources, such as the file system or databases of information residing on the system. Local system data includes information stored by the operating system. Access to local system data often requires escalated privileges (e.g. root access). Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos.Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. Access to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html', 'external_id': 'STA-41'}

[T1407] Download New Code at Runtime

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1An app could download and execute dynamic code (not includedt1Adversaries may download and execute dynamic code not includ
> in the original application package) after installation to >ed in the original application package after installation. T
>evade static analysis techniques (and potentially dynamic an>his technique is primarily used to evade static analysis che
>alysis techniques) used for application vetting or applicati>cks and pre-publication scans in official app stores. In som
>on store review.(Citation: Poeplau-ExecuteThis)  On Android,>e cases, more advanced dynamic or behavioral analysis techni
> dynamic code could include native code, Dalvik code, or Jav>ques could detect this behavior. However, in conjunction wit
>aScript code that uses the Android WebView's JavascriptInter>h [Execution Guardrails](https://attack.mitre.org/techniques
>face capability.(Citation: Bromium-AndroidRCE)  On iOS, tech>/T1627) techniques, detecting malicious code downloaded afte
>niques also exist for executing dynamic code downloaded afte>r installation could be difficult.  On Android, dynamic code
>r application installation.(Citation: FireEye-JSPatch)(Citat> could include native code, Dalvik code, or JavaScript code 
>ion: Wang)>that utilizes Android WebView’s `JavascriptInterface` capabi
 >lity.   On iOS, dynamic code could be downloaded and execute
 >d through 3rd party libraries such as JSPatch. (Citation: Fi
 >reEye-JSPatch) 

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesJing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.
external_referencesAPP-20
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1010
external_referencesAPP-20
external_referencesSebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna. (2014, February). Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. Retrieved December 21, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-10-09 19:40:52.090000+00:002022-04-06 12:26:31.735000+00:00
descriptionAn app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review.(Citation: Poeplau-ExecuteThis) On Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability.(Citation: Bromium-AndroidRCE) On iOS, techniques also exist for executing dynamic code downloaded after application installation.(Citation: FireEye-JSPatch)(Citation: Wang)Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult. On Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s `JavascriptInterface` capability. On iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch)
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueFireEye-JSPatch
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.htmlhttps://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html
external_references[2]['source_name']Poeplau-ExecuteThisNIST Mobile Threat Catalogue
external_references[2]['url']https://www.internetsociety.org/sites/default/files/10_5_0.pdfhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html
x_mitre_detectionDownloading new code at runtime can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and applications may employ other techniques to hide their use of these techniques.
x_mitre_version1.21.3
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Bromium-AndroidRCE', 'description': 'Tom Sutcliffe. (2014, July 31). Remote code execution on Android devices. Retrieved December 9, 2016.', 'url': 'https://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/'}
external_references{'source_name': 'FireEye-JSPatch', 'description': 'Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.', 'url': 'https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html'}
external_references{'source_name': 'Wang', 'description': 'Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.', 'url': 'https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei'}

[T1428] Exploitation of Remote Services

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may attempt to exploit enterprise servers, workst1Adversaries may exploit remote services of enterprise server
>tations, or other resources over the network. This technique>s, workstations, or other resources to gain unauthorized acc
> may take advantage of the mobile device's access to an inte>ess to internal systems once inside of a network. Adversarie
>rnal enterprise network either through local connectivity or>s may exploit remote services by taking advantage of a mobil
> through a Virtual Private Network (VPN).>e device’s access to an internal enterprise network through 
 >local connectivity or through a Virtual Private Network (VPN
 >). Exploitation of a software vulnerability occurs when an a
 >dversary takes advantage of a programming error in a program
 >, service, or within the operating system software or kernel
 > itself to execute adversary-controlled code. A common goal 
 >for post-compromise exploitation of remote services is for l
 >ateral movement to enable access to a remote system.   An ad
 >versary may need to determine if the remote system is in a v
 >ulnerable state, which may be done through [Network Service 
 >Scanning](https://attack.mitre.org/techniques/T1423) or othe
 >r Discovery methods. These look for common, vulnerable softw
 >are that may be deployed in the network, the lack of certain
 > patches that may indicate vulnerabilities, or security soft
 >ware that may be used to detect or contain remote exploitati
 >on. Servers are likely a high value target for lateral movem
 >ent exploitation, but endpoint systems may also be at risk i
 >f they provide an advantage or access to additional resource
 >s.  Depending on the permissions level of the vulnerable rem
 >ote service, an adversary may achieve [Exploitation for Priv
 >ilege Escalation](https://attack.mitre.org/techniques/T1404)
 > as a result of lateral movement exploitation as well. 

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionDetecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. Application vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1031
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-06 12:45:44.023000+00:00
nameExploit Enterprise ResourcesExploitation of Remote Services
descriptionAdversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources. Depending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version1.01.1

[T1420] File and Directory Discovery

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1On Android, command line tools or the Java file APIs can be t1Adversaries may enumerate files and directories or search in
>used to enumerate file system contents. However, Linux file > specific device locations for desired information within a 
>permissions and SELinux policies generally strongly restrict>filesystem. Adversaries may use the information from [File a
> what can be accessed by apps (without taking advantage of a>nd Directory Discovery](https://attack.mitre.org/techniques/
> privilege escalation exploit). The contents of the external>T1420) during automated discovery to shape follow-on behavio
> storage directory are generally visible, which could presen>rs, including deciding if the adversary should fully infect 
>t concern if sensitive data is inappropriately stored there.>the target and/or attempt specific actions.   On Android, Li
>  iOS's security architecture generally restricts the abilit>nux file permissions and SELinux policies typically stringen
>y to perform file and directory discovery without use of esc>tly restrict what can be accessed by apps without taking adv
>alated privileges.>antage of a privilege escalation exploit. The contents of th
 >e external storage directory are generally visible, which co
 >uld present concerns if sensitive data is inappropriately st
 >ored there. iOS's security architecture generally restricts 
 >the ability to perform any type of [File and Directory Disco
 >very](https://attack.mitre.org/techniques/T1420) without use
 > of escalated privileges. 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionOn Android, users are presented with a permissions popup when an application requests access to external device storage.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1023
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-19 19:52:12.345000+00:00
descriptionOn Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. On Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html', 'external_id': 'STA-41'}
x_mitre_platformsiOS

[T1417] Input Capture

Current version: 2.2

Version changed from: 2.1 → 2.2


Old Description
New Description
t1Adversaries may capture user input to obtain credentials or t1Adversaries may use methods of capturing user input to obtai
>other information from the user through various methods.  Ma>n credentials or collect information. During normal device u
>lware may masquerade as a legitimate third-party keyboard to>sage, users often provide credentials to various locations, 
> record user keystrokes.(Citation: Zeltser-Keyboard) On both>such as login pages/portals or system dialog boxes. Input ca
> Android and iOS, users must explicitly authorize the use of>pture mechanisms may be transparent to the user (e.g. [Keylo
> third-party keyboard apps. Users should be advised to use e>gging](https://attack.mitre.org/techniques/T1417/001)) or re
>xtreme caution before granting this authorization when it is>ly on deceiving the user into providing input into what they
> requested.  On Android, malware may abuse accessibility fea> believe to be a genuine application prompt (e.g. [GUI Input
>tures to record keystrokes by registering an `AccessibilityS> Capture](https://attack.mitre.org/techniques/T1417/002)).
>ervice` class, overriding the `onAccessibilityEvent` method, 
> and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CH 
>ANGED` event type. The event object passed into the function 
> will contain the data that the user typed.  Additional meth 
>ods of keylogging may be possible if root access is availabl 
>e. 

New Mitigations:

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesAPP-31
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1020
external_referencesLenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016.
values_changed
STIX FieldOld valueNew Value
modified2020-06-24 15:09:12.483000+00:002022-04-11 18:48:26.111000+00:00
descriptionAdversaries may capture user input to obtain credentials or other information from the user through various methods. Malware may masquerade as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested. On Android, malware may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. Additional methods of keylogging may be possible if root access is available.Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']Zeltser-KeyboardNIST Mobile Threat Catalogue
external_references[1]['url']https://zeltser.com/third-party-keyboards-security/https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html
x_mitre_detectionOn Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Users can view and manage installed third-party keyboards.
x_mitre_version2.12.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html', 'external_id': 'AUT-13'}

[T1430] Location Tracking

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1An adversary could use a malicious or exploited application t1Adversaries may track a device’s physical location through u
>to surreptitiously track the device's physical location thro>se of standard operating system APIs via malicious or exploi
>ugh use of standard operating system APIs.>ted applications on the compromised device.      On Android,
 > applications holding the `ACCESS_COAURSE_LOCATION` or `ACCE
 >SS_FINE_LOCATION` permissions provide access to the device’s
 > physical location. On Android 10 and up, declaration of the
 > `ACCESS_BACKGROUND_LOCATION` permission in an application’s
 > manifest will allow applications to request location access
 > even when the application is running in the background.(Cit
 >ation: Android Request Location Permissions) Some adversarie
 >s have utilized integration of Baidu map services to retriev
 >e geographical location once the location access permissions
 > had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: 
 >Palo Alto HenBox)      On iOS, applications must include the
 > `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAnd
 >WhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDes
 >cription` keys in their `Info.plist` file depending on the e
 >xtent of requested access to location information.(Citation:
 > Apple Requesting Authorization for Location Services) On iO
 >S 8.0 and up, applications call `requestWhenInUseAuthorizati
 >on()` to request access to location information when the app
 >lication is in use or `requestAlwaysAuthorization()` to requ
 >est access to location information regardless of whether the
 > application is in use. With elevated privileges, an adversa
 >ry may be able to access location data without explicit user
 > consent with the `com.apple.locationd.preauthorized` entitl
 >ement key.(Citation: Google Project Zero Insomnia)

New Mitigations:

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesA. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1033
external_referencesAPP-24
values_changed
STIX FieldOld valueNew Value
modified2019-10-15 20:01:06.186000+00:002022-04-01 17:05:16.493000+00:00
descriptionAn adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. On Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device’s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application’s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) On iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CataloguePalo Alto HenBox
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.htmlhttps://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/
x_mitre_detectionOn both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions.Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. In both Android (6.0 and up) and iOS, users can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary.
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Android Request Location Permissions', 'description': 'Android Developers. (2022, March 24). Request Location Permissions. Retrieved April 1, 2022.', 'url': 'https://developer.android.com/training/location/permissions'}
external_references{'source_name': 'Apple Requesting Authorization for Location Services', 'description': 'Apple Developers. (n.d.). Requesting Authorization for Location Services. Retrieved April 1, 2022.', 'url': 'https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services'}
external_references{'source_name': 'Google Project Zero Insomnia', 'description': 'I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.', 'url': 'https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html'}
external_references{'source_name': 'PaloAlto-SpyDealer', 'description': 'Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.', 'url': 'https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/'}
external_references{'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html', 'external_id': 'APP-24'}

[T1461] Lockscreen Bypass

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1An adversary with physical access to a mobile device may seet1An adversary with physical access to a mobile device may see
>k to bypass the device's lockscreen.  ### Biometric Spoofing>k to bypass the device’s lockscreen. Several methods exist t
> If biometric authentication is used, an adversary could att>o accomplish this, including:  * Biometric spoofing: If biom
>empt to spoof a mobile device's biometric authentication mec>etric authentication is used, an adversary could attempt to 
>hanism(Citation: SRLabs-Fingerprint)(Citation: SecureIDNews->spoof a mobile device’s biometric authentication mechanism. 
>Spoof)(Citation: TheSun-FaceID).  iOS partly mitigates this >Both iOS and Android partly mitigate this attack by requirin
>attack by requiring the device passcode rather than a finger>g the device’s passcode rather than biometrics to unlock the
>print to unlock the device after every device restart and af> device after every device restart, and after a set or rando
>ter 48 hours since the device was last unlocked (Citation: A>m amount of time.(Citation: SRLabs-Fingerprint)(Citation: Th
>pple-TouchID). Android has similar mitigations.  ### Device >eSun-FaceID) * Unlock code bypass: An adversaries could atte
>Unlock Code Guessing or Brute Force An adversary could attem>mpt to brute-force or otherwise guess the lockscreen passcod
>pt to brute-force or otherwise guess the lockscreen passcode>e (typically a PIN or password), including physically observ
> (typically a PIN or password), including physically observi>ing (“shoulder surfing”) the device owner’s use of the locks
>ng ("shoulder surfing") the device owner's use of the locksc>creen passcode. Mobile OS vendors partly mitigate this by im
>reen passcode.   ### Exploit Other Device Lockscreen Vulnera>plementing incremental backoff timers after a set number of 
>bilities Techniques have periodically been demonstrated that>failed unlock attempts, as well as a configurable full devic
> exploit vulnerabilities on Android (Citation: Wired-Android>e wipe after several failed unlock attempts. * Vulnerability
>Bypass), iOS (Citation: Kaspersky-iOSBypass), or other mobil> exploit: Techniques have been periodically demonstrated tha
>e devices to bypass the device lockscreen. The vulnerabiliti>t exploit mobile devices to bypass the lockscreen. The vulne
>es are generally patched by the device/operating system vend>rabilities are generally patched by the device or OS vendor 
>or once they become aware of their existence.>once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kas
 >persky-iOSBypass) 

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionUsers can see if someone is watching them type in their device passcode.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1064
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 17:08:07.111000+00:002022-04-19 15:36:12.312000+00:00
descriptionAn adversary with physical access to a mobile device may seek to bypass the device's lockscreen. ### Biometric Spoofing If biometric authentication is used, an adversary could attempt to spoof a mobile device's biometric authentication mechanism(Citation: SRLabs-Fingerprint)(Citation: SecureIDNews-Spoof)(Citation: TheSun-FaceID). iOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID). Android has similar mitigations. ### Device Unlock Code Guessing or Brute Force An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing ("shoulder surfing") the device owner's use of the lockscreen passcode. ### Exploit Other Device Lockscreen Vulnerabilities Techniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including: * Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID) * Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts. * Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']SRLabs-FingerprintWired-AndroidBypass
external_references[1]['description']SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016.Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.
external_references[1]['url']https://srlabs.de/bites/spoofing-fingerprints/https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/
external_references[2]['source_name']SecureIDNews-SpoofKaspersky-iOSBypass
external_references[2]['description']Zack Martin. (2016, March 11). Another spoof of mobile biometrics. Retrieved September 18, 2018.Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.
external_references[2]['url']https://thehackernews.com/2016/05/android-kernal-exploit.htmlhttps://www.secureidnews.com/news-item/another-spoof-of-mobile-biometrics/https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/
external_references[4]['source_name']Apple-TouchIDSRLabs-Fingerprint
external_references[4]['description']Apple. (2015, November 3). About Touch ID security on iPhone and iPad. Retrieved December 23, 2016.SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016.
external_references[4]['url']https://support.apple.com/en-us/HT204587https://srlabs.de/bites/spoofing-fingerprints/
x_mitre_version1.11.2
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Wired-AndroidBypass', 'description': 'Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.', 'url': 'https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/'}
external_references{'source_name': 'Kaspersky-iOSBypass', 'description': 'Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.', 'url': 'https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/'}

[T1464] Network Denial of Service

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1An attacker could jam radio signals (e.g. Wi-Fi, cellular, Gt1Adversaries may perform Network Denial of Service (DoS) atta
>PS) to prevent the mobile device from communicating. (Citati>cks to degrade or block the availability of targeted resourc
>on: NIST-SP800187)(Citation: CNET-Celljammer)(Citation: NYTi>es to users. Network DoS can be performed by exhausting the 
>mes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arst>network bandwidth that services rely on, or by jamming the s
>echnica-Celljam)>ignal going to or coming from devices.   A Network DoS will 
 >occur when an adversary is able to jam radio signals (e.g. W
 >i-Fi, cellular, GPS) around a device to prevent it from comm
 >unicating. For example, to jam cellular signal, an adversary
 > may use a handheld signal jammer, which jam devices within 
 >the jammer’s operational range.(Citation: NIST-SP800187)   U
 >sage of cellular jamming has been documented in several arre
 >sts reported in the news.(Citation: CNET-Celljammer)(Citatio
 >n: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citatio
 >n: Arstechnica-Celljam)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionUnexpected loss of radio signal could indicate that a device is being actively jammed.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesChris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018.
external_referencesDavid Kravets. (2016, March 10). Man accused of jamming passengers’ cell phones on Chicago subway. Retrieved November 8, 2018.
external_referencesJeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.
external_referencesMatt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018.
external_referencesCEL-7
external_referencesCEL-8
external_referencesLPN-5
external_referencesGPS-0
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1067
external_referencesCEL-7
external_referencesCEL-8
external_referencesLPN-5
external_referencesGPS-0
external_referencesChris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018.
external_referencesMatt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018.
external_referencesTrevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students’ cell phones. Retrieved November 8, 2018.
external_referencesDavid Kravets. (2016, March 10). Man accused of jamming passengers’ cell phones on Chicago subway. Retrieved November 8, 2018.
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 14:15:21.946000+00:002022-04-06 13:26:42.303000+00:00
nameJamming or Denial of ServiceNetwork Denial of Service
descriptionAn attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating. (Citation: NIST-SP800187)(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. A Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer’s operational range.(Citation: NIST-SP800187) Usage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)
kill_chain_phases[0]['phase_name']network-effectsimpact
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueCNET-Celljammer
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.htmlhttps://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/
external_references[2]['source_name']NIST Mobile Threat CatalogueArstechnica-Celljam
external_references[2]['url']https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.htmlhttps://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/
external_references[3]['source_name']NIST Mobile Threat CatalogueNIST-SP800187
external_references[3]['url']https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.htmlhttp://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf
external_references[4]['source_name']NIST Mobile Threat CatalogueNYTimes-Celljam
external_references[4]['url']https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.htmlhttps://www.nytimes.com/2007/11/04/technology/04jammer.html
external_references[5]['source_name']NIST-SP800187Digitaltrends-Celljam
external_references[5]['description']Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students’ cell phones. Retrieved November 8, 2018.
external_references[5]['url']http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdfhttps://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/
external_references[6]['source_name']CNET-CelljammerNIST Mobile Threat Catalogue
external_references[6]['url']https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html
external_references[7]['source_name']NYTimes-CelljamNIST Mobile Threat Catalogue
external_references[7]['url']https://www.nytimes.com/2007/11/04/technology/04jammer.htmlhttps://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html
external_references[8]['source_name']Digitaltrends-CelljamNIST Mobile Threat Catalogue
external_references[8]['url']https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html
external_references[9]['source_name']Arstechnica-CelljamNIST Mobile Threat Catalogue
external_references[9]['url']https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html
x_mitre_tactic_type[0]Without Adversary Device AccessPost-Adversary Device Access
x_mitre_version1.11.2

[T1423] Network Service Scanning

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionNetwork service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1026
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-11 19:12:38.451000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version1.01.1

[T1513] Screen Capture

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may use screen captures to collect information at1Adversaries may use screen capture to collect additional inf
>bout applications running in the foreground, capture user da>ormation about a target device, such as applications running
>ta, credentials, or other sensitive information. Application> in the foreground, user data, credentials, or other sensiti
>s running in the background can capture screenshots or video>ve information. Applications running in the background can c
>s of another application running in the foreground by using >apture screenshots or videos of another application running 
>the Android `MediaProjectionManager` (generally requires the>in the foreground by using the Android `MediaProjectionManag
> device user to grant consent).(Citation: Fortinet screencap>er` (generally requires the device user to grant consent).(C
> July 2019)(Citation: Android ScreenCap1 2019) Background ap>itation: Fortinet screencap July 2019)(Citation: Android Scr
>plications can also use Android accessibility services to ca>eenCap1 2019) Background applications can also use Android a
>pture screen contents being displayed by a foreground applic>ccessibility services to capture screen contents being displ
>ation.(Citation: Lookout-Monokle) An adversary with root acc>ayed by a foreground application.(Citation: Lookout-Monokle)
>ess or Android Debug Bridge (adb) access could call the Andr> An adversary with root access or Android Debug Bridge (adb)
>oid `screencap` or `screenrecord` commands.(Citation: Androi> access could call the Android `screencap` or `screenrecord`
>d ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015> commands.(Citation: Android ScreenCap2 2019)(Citation: Tren
>)>d Micro ScreenCap July 2015) 

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesAndroid Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019.
external_referencesAPP-40
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesAPP-40
external_referencesZhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019.
values_changed
STIX FieldOld valueNew Value
modified2020-06-24 15:03:25.857000+00:002022-04-01 13:31:00.559000+00:00
descriptionAdversaries may use screen captures to collect information about applications running in the foreground, capture user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015)Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015)
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueAndroid ScreenCap2 2019
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.htmlhttps://developer.android.com/studio/command-line/adb
external_references[2]['source_name']Fortinet screencap July 2019Android ScreenCap1 2019
external_references[2]['description']Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019.Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019.
external_references[2]['url']https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.htmlhttps://developer.android.com/reference/android/media/projection/MediaProjectionManager
external_references[3]['source_name']Android ScreenCap1 2019Lookout-Monokle
external_references[3]['description']Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019.Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
external_references[3]['url']https://developer.android.com/reference/android/media/projection/MediaProjectionManagerhttps://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf
external_references[4]['source_name']Lookout-MonokleFortinet screencap July 2019
external_references[4]['description']Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019.
external_references[4]['url']https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdfhttps://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html
external_references[5]['source_name']Android ScreenCap2 2019Trend Micro ScreenCap July 2015
external_references[5]['description']Android Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019.Zhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019.
external_references[5]['url']https://developer.android.com/studio/command-line/adbhttps://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/
external_references[6]['source_name']Trend Micro ScreenCap July 2015NIST Mobile Threat Catalogue
external_references[6]['url']https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html
x_mitre_detectionThe user can view a list of apps with accessibility service privileges in the device settings.The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.
x_mitre_version1.11.2

[T1426] System Information Discovery

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1An adversary may attempt to get detailed information about tt1Adversaries may attempt to get detailed information about a 
>he operating system and hardware, including version, patches>device’s operating system and hardware, including versions, 
>, and architecture.  On Android, much of this information is>patches, and architecture. Adversaries may use the informati
> programmatically accessible to applications through the and>on from [System Information Discovery](https://attack.mitre.
>roid.os.Build class.(Citation: Android-Build)  On iOS, techn>org/techniques/T1426) during automated discovery to shape fo
>iques exist for applications to programmatically access this>llow-on behaviors, including whether or not to fully infects
> information.(Citation: StackOverflow-iOSVersion)> the target and/or attempts specific actions.      On Androi
 >d, much of this information is programmatically accessible t
 >o applications through the `android.os.Build` class. (Citati
 >on: Android-Build) iOS is much more restrictive with what in
 >formation is visible to applications. Typically, application
 >s will only be able to query the device model and which vers
 >ion of iOS it is running. 

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionSystem information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesAPP-12
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1029
external_referencesStack Overflow. (n.d.). How can we programmatically detect which iOS version is device running on?. Retrieved December 21, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-11-20 19:56:49.109000+00:002022-04-11 19:21:34.776000+00:00
descriptionAn adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture. On Android, much of this information is programmatically accessible to applications through the android.os.Build class.(Citation: Android-Build) On iOS, techniques exist for applications to programmatically access this information.(Citation: StackOverflow-iOSVersion)Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. On Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[2]['source_name']StackOverflow-iOSVersionNIST Mobile Threat Catalogue
external_references[2]['url']http://stackoverflow.com/questions/7848766/how-can-we-programmatically-detect-which-ios-version-is-device-running-onhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html
x_mitre_version1.11.2

[T1422] System Network Configuration Discovery

Current version: 2.2

Version changed from: 2.1 → 2.2


Old Description
New Description
t1On Android, details of onboard network interfaces are accesst1Adversaries may look for details about the network configura
>ible to apps through the `java.net.NetworkInterface` class.(>tion and settings, such as IP and/or MAC addresses, of opera
>Citation: NetworkInterface) The Android `TelephonyManager` c>ting systems they access or through information discovery of
>lass can be used to gather related information such as the I> remote systems.      On Android, details of onboard network
>MSI, IMEI, and phone number.(Citation: TelephonyManager)  On> interfaces are accessible to apps through the `java.net.Net
> iOS, gathering network configuration information is not pos>workInterface` class.(Citation: NetworkInterface) Previously
>sible without root access.>, the Android `TelephonyManager` class could be used to gath
 >er telephony-related device identifiers, information such as
 > the IMSI, IMEI, and phone number. However, starting with An
 >droid 10, only preloaded, carrier, the default SMS, or devic
 >e and profile owner applications can access the telephony-re
 >lated device identifiers.(Citation: TelephonyManager)      O
 >n iOS, gathering network configuration information is not po
 >ssible without root access.      Adversaries may use the inf
 >ormation from [System Network Configuration Discovery](https
 >://attack.mitre.org/techniques/T1422) during automated disco
 >very to shape follow-on behaviors, including determining cer
 >tain access within the target network and what actions to do
 > next. 

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionApplication vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1025
values_changed
STIX FieldOld valueNew Value
modified2020-06-02 14:35:01.479000+00:002022-03-30 21:04:12.723000+00:00
descriptionOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) The Android `TelephonyManager` class can be used to gather related information such as the IMSI, IMEI, and phone number.(Citation: TelephonyManager) On iOS, gathering network configuration information is not possible without root access.Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of operating systems they access or through information discovery of remote systems. On Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) On iOS, gathering network configuration information is not possible without root access. Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version2.12.2

[T1421] System Network Connections Discovery

Current version: 2.1

Version changed from: 2.0 → 2.1


Old Description
New Description
t1On Android, applications can use standard APIs to gather a lt1Adversaries may attempt to get a listing of network connecti
>ist of network connections to and from the device. For examp>ons to or from the compromised device they are currently acc
>le, the Network Connections app available in the Google Play>essing or from remote systems by querying for information ov
> Store (Citation: ConnMonitor) advertises this functionality>er the network.      This is typically accomplished by utili
>.>zing device APIs to collect information about nearby network
 >s, such as Wi-Fi, Bluetooth, and cellular tower connections.
 > On Android, this can be done by querying the respective API
 >s:      * `WifiInfo` for information about the current Wi-Fi
 > connection, as well as nearby Wi-Fi networks. Querying the 
 >`WiFiInfo` API requires the application to hold the `ACCESS_
 >FINE_LOCATION` permission.   * `BluetoothAdapter` for inform
 >ation about Bluetooth devices, which also requires the appli
 >cation to hold several permissions granted by the user at ru
 >ntime.   * For Android versions prior to Q, applications can
 > use the `TelephonyManager.getNeighboringCellInfo()` method.
 > For Q and later, applications can use the `TelephonyManager
 >.getAllCellInfo()` method. Both methods require the applicat
 >ion hold the `ACCESS_FINE_LOCATION` permission.

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionSystem Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1024
values_changed
STIX FieldOld valueNew Value
modified2019-02-01 19:34:17.460000+00:002022-03-31 16:31:12.821000+00:00
descriptionOn Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality.Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. This is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: * `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. * `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. * For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version2.02.1
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'ConnMonitor', 'description': 'Anti Spy Mobile. (2016, March 14). Network Connections. Retrieved December 21, 2016.', 'url': 'https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en'}

[T1481] Web Service

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may use an existing, legitimate external Web sert1Adversaries may use an existing, legitimate external Web ser
>vice as a means for relaying commands to a compromised syste>vice as a means for relaying data to/from a compromised syst
>m.  These commands may also include pointers to command and >em. Popular websites and social media, acting as a mechanism
>control (C2) infrastructure. Adversaries may post content, k> for C2, may give a significant amount of cover. This is due
>nown as a dead drop resolver, on Web services with embedded > to the likelihood that hosts within a network are already c
>(and often obfuscated/encoded) domains or IP addresses. Once>ommunicating with them prior to a compromise. Using common s
> infected, victims will reach out to and be redirected by th>ervices, such as those offered by Google or Twitter, makes i
>ese resolvers.  Popular websites and social media acting as >t easier for adversaries to hide in expected noise. Web serv
>a mechanism for C2 may give a significant amount of cover du>ice providers commonly use SSL/TLS encryption, giving advers
>e to the likelihood that hosts within a network are already >aries an added level of protection.      Use of Web services
>communicating with them prior to a compromise. Using common > may also protect back-end C2 infrastructure from discovery 
>services, such as those offered by Google or Twitter, makes >through malware binary analysis, or enable operational resil
>it easier for adversaries to hide in expected noise. Web ser>iency (since this infrastructure may be dynamically changed)
>vice providers commonly use SSL/TLS encryption, giving adver>.    
>saries an added level of protection.  Use of Web services ma 
>y also protect back-end C2 infrastructure from discovery thr 
>ough malware binary analysis while also enabling operational 
> resiliency (since this infrastructure may be dynamically ch 
>anged). 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionApplication vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2019-02-01 17:29:43.503000+00:002022-04-06 15:35:05.775000+00:00
descriptionAdversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system. These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version1.01.1
Revocations

[T1435] Access Calendar Entries

Current version: 1.0

Description: An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.

This object has been revoked by [T1636.001] Calendar Entries

Description for [T1636.001] Calendar Entries: Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. If the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user’s knowledge or approval.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1038
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-01 12:50:48.453000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1433] Access Call Log

Current version: 1.1

Description: On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data. On iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.

This object has been revoked by [T1636.002] Call Log

Description for [T1636.002] Call Log: Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. If the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user’s knowledge or approval.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1036
values_changed
STIX FieldOld valueNew Value
modified2019-09-18 18:17:43.466000+00:002022-04-01 13:14:43.174000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1432] Access Contact List

Current version: 1.0

Description: An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.

This object has been revoked by [T1636.003] Contact List

Description for [T1636.003] Contact List: Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. If the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user’s knowledge or approval.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1035
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-01 13:19:41.180000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1402] Broadcast Receivers

Current version: 2.0

Description: An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. Further, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. In Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)

This object has been revoked by [T1624.001] Broadcast Receivers

Description for [T1624.001] Broadcast Receivers: Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. An intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. In addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. In Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_contributors['Alex Hinchliffe, Palo Alto Networks']
x_mitre_old_attack_idMOB-T1005
values_changed
STIX FieldOld valueNew Value
modified2020-03-27 15:28:03.858000+00:002022-03-30 14:43:46.019000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1412] Capture SMS Messages

Current version: 1.1

Description: A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication. On Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement. On iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.

This object has been revoked by [T1636.004] SMS Messages

Description for [T1636.004] SMS Messages: Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. If the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user’s knowledge or approval.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1015
values_changed
STIX FieldOld valueNew Value
modified2019-09-18 18:28:50.898000+00:002022-04-01 13:27:29.880000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1448] Carrier Billing Fraud

Current version: 2.0

Description: A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases. Performing SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread) Malicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread) On iOS, apps cannot send SMS messages. On Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).

This object has been revoked by [T1643] Generate Traffic from Victim

Description for [T1643] Generate Traffic from Victim: Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well. If done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1051
values_changed
STIX FieldOld valueNew Value
modified2020-05-04 15:40:20.943000+00:002022-04-06 13:57:38.841000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1510] Clipboard Modification

Current version: 1.0

Description: Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes) Adversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control. [Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)

This object has been revoked by [T1641.001] Transmitted Data Manipulation

Description for [T1641.001] Transmitted Data Manipulation: Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making. Manipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact. One method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10. Adversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control. [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2019-10-28 18:36:26.261000+00:002022-04-06 13:41:17.512000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']ESET Clipboard Modification February 2019Android 10 Privacy Changes
external_references[1]['description']ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.
external_references[1]['url']https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/https://developer.android.com/about/versions/10/privacy/changes#clipboard-data
external_references[2]['source_name']Welivesecurity Clipboard Modification February 2019Dr.Webb Clipboard Modification origin August 2018
external_references[2]['description']Lukáš Štefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019.Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019.
external_references[2]['url']https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/https://vms.drweb.com/virus/?i=17517750
external_references[3]['source_name']Syracuse Clipboard Modification 2014Dr.Webb Clipboard Modification origin2 August 2018
external_references[3]['description']Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019.Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019.
external_references[3]['url']http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdfhttps://vms.drweb.com/virus/?i=17517761
external_references[4]['source_name']Dr.Webb Clipboard Modification origin2 August 2018ESET Clipboard Modification February 2019
external_references[4]['description']Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019.ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.
external_references[4]['url']https://vms.drweb.com/virus/?i=17517761https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/
external_references[5]['source_name']Dr.Webb Clipboard Modification origin August 2018Welivesecurity Clipboard Modification February 2019
external_references[5]['description']Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019.Lukáš Štefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019.
external_references[5]['url']https://vms.drweb.com/virus/?i=17517750https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/
external_references[6]['source_name']Android 10 Privacy ChangesSyracuse Clipboard Modification 2014
external_references[6]['description']Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019.
external_references[6]['url']https://developer.android.com/about/versions/10/privacy/changes#clipboard-datahttp://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf

[T1540] Code Injection

Current version: 1.0

Description: Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries. With root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application’s process.(Citation: Google Triada June 2019)

This object has been revoked by [T1631.001] Ptrace System Calls

Description for [T1631.001] Ptrace System Calls: Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) Ptrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2020-03-29 04:07:06.663000+00:002022-03-30 19:14:20.369000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']Shunix Code Injection Mar 2016Fadeev Code Injection Aug 2018
external_references[1]['description']Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019.Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019.
external_references[1]['url']https://shunix.com/shared-library-injection-in-android/https://fadeevab.com/shared-library-injection-on-android-8/
external_references[2]['source_name']Fadeev Code Injection Aug 2018Google Triada June 2019
external_references[2]['description']Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019.Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.
external_references[2]['url']https://fadeevab.com/shared-library-injection-on-android-8/https://security.googleblog.com/2019/06/pha-family-highlights-triada.html
external_references[3]['source_name']Google Triada June 2019Shunix Code Injection Mar 2016
external_references[3]['description']Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019.
external_references[3]['url']https://security.googleblog.com/2019/06/pha-family-highlights-triada.htmlhttps://shunix.com/shared-library-injection-in-android/

[T1605] Command-Line Interface

Current version: 1.0

Description: Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java’s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken. If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.

This object has been revoked by [T1623.001] Unix Shell

Description for [T1623.001] Unix Shell: Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2020-12-17 17:31:52.802000+00:002022-03-30 14:00:45.099000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1447] Delete Device Data

Current version: 2.1

Description: Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019) Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.

This object has been revoked by [T1630.002] File Deletion

Description for [T1630.002] File Deletion: Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1050
values_changed
STIX FieldOld valueNew Value
modified2020-10-01 12:52:58.150000+00:002022-03-30 19:50:37.727000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1401] Device Administrator Permissions

Current version: 2.0

Description: Adversaries may request device administrator permissions to perform malicious actions. By abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device’s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo) Device administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.

This object has been revoked by [T1626.001] Device Administrator Permissions

Description for [T1626.001] Device Administrator Permissions: Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app. Device administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesGoogle. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020.
external_referencesAPP-22
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1004
external_referencesAPP-22
external_referencesGoogle. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020.
values_changed
STIX FieldOld valueNew Value
modified2020-11-24 13:40:08.343000+00:002022-04-01 16:52:36.965000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueAndroid DeviceAdminInfo
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.htmlhttps://developer.android.com/reference/android/app/admin/DeviceAdminInfo
external_references[2]['source_name']Android DeviceAdminInfoNIST Mobile Threat Catalogue
external_references[2]['url']https://developer.android.com/reference/android/app/admin/DeviceAdminInfohttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html

[T1446] Device Lockout

Current version: 2.0

Description: An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment. On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword) On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)

This object has been revoked by [T1629.002] Device Lockout

Description for [T1629.002] Device Lockout: An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018) Prior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.(Citation: Android resetPassword)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesClaud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.
external_referencesAPP-28
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1049
external_referencesAPP-28
external_referencesClaud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-10-09 14:39:38.930000+00:002022-04-01 18:49:51.039000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueXiao-KeyRaider
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.htmlhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/
external_references[3]['source_name']Xiao-KeyRaiderNIST Mobile Threat Catalogue
external_references[3]['url']http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html

[T1408] Disguise Root/Jailbreak Indicators

Current version: 1.1

Description: An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).

This object has been revoked by [T1630.003] Disguise Root/Jailbreak Indicators

Description for [T1630.003] Disguise Root/Jailbreak Indicators: An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesDaniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.
external_referencesEMM-5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1011
external_referencesEMM-5
external_referencesVaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 14:34:59.071000+00:002022-04-08 16:29:55.321000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueBrodie
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.htmlhttps://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf
external_references[2]['source_name']BrodieRastogi
external_references[2]['description']Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.
external_references[2]['url']https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdfhttp://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf
external_references[4]['source_name']RastogiNIST Mobile Threat Catalogue
external_references[4]['url']http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdfhttps://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html

[T1520] Domain Generation Algorithms

Current version: 1.0

Description: Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018) DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.

This object has been revoked by [T1637.001] Domain Generation Algorithms

Description for [T1637.001] Domain Generation Algorithms: Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018) DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2019-09-23 14:53:42.654000+00:002022-04-05 20:03:46.788000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']securelist rotexy 2018Data Driven Security DGA
external_references[1]['description']T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.
external_references[1]['url']https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
external_references[2]['source_name']Data Driven Security DGAsecurelist rotexy 2018
external_references[2]['description']Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
external_references[2]['url']https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/

[T1466] Downgrade to Insecure Protocols

Current version: 1.1

Description: An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.

This object has been revoked by [T1638] Adversary-in-the-Middle

Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesJeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.
external_referencesCEL-3
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1069
external_referencesCEL-3
external_referencesJeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 15:16:13.386000+00:002022-04-06 15:50:42.480000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueNIST-SP800187
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.htmlhttp://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf
external_references[2]['source_name']NIST-SP800187NIST Mobile Threat Catalogue
external_references[2]['url']http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdfhttps://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html

[T1439] Eavesdrop on Insecure Network Communication

Current version: 1.1

Description: If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)

This object has been revoked by [T1638] Adversary-in-the-Middle

Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesD. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016.
external_referencesAPP-1
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1042
external_referencesAPP-0
external_referencesD. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 14:54:29.631000+00:002022-04-05 20:17:46.147000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CataloguemHealth
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.htmlhttps://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps
external_references[2]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.htmlhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html
external_references[2]['external_id']APP-1APP-0
external_references[3]['source_name']mHealthNIST Mobile Threat Catalogue
external_references[3]['url']https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-appshttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html

[T1523] Evade Analysis Environment

Current version: 1.0

Description: Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. Adversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)

This object has been revoked by [T1633.001] System Checks

Description for [T1633.001] System Checks: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Hardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2019-10-11 14:48:50.525000+00:002022-03-30 17:54:56.590000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']Talos Gustuff Apr 2019Sophos Anti-emulation
external_references[1]['description']Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019.
external_references[1]['url']https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.htmlhttps://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/
external_references[2]['source_name']ThreatFabric CerberusXiao-ZergHelper
external_references[2]['description']ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.
external_references[2]['url']https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.htmlhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/
external_references[3]['source_name']Xiao-ZergHelperCyberscoop Evade Analysis January 2019
external_references[3]['description']Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019.
external_references[3]['url']http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/
external_references[4]['source_name']Cyberscoop Evade Analysis January 2019ThreatFabric Cerberus
external_references[4]['description']Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019.ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.
external_references[4]['url']https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html
external_references[6]['source_name']Sophos Anti-emulationTalos Gustuff Apr 2019
external_references[6]['description']Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019.Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
external_references[6]['url']https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html

[T1438] Exfiltration Over Other Network Medium

Current version: 2.0

Description: Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

This object has been revoked by [T1644] Out of Band Data

Description for [T1644] Out of Band Data: Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. On Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. On iOS, there is no way to programmatically read push notifications.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detectionExfiltration over other network mediums can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1041
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-18 19:46:02.529000+00:00
nameAlternate Network MediumsExfiltration Over Other Network Medium
descriptionAdversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
x_mitre_version1.02.0
iterable_item_removed
STIX FieldOld valueNew Value
kill_chain_phases{'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'exfiltration'}

[T1450] Exploit SS7 to Track Device Location

Current version: 1.1

Description: An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)

This object has been revoked by [T1430.002] Impersonate SS7 Nodes

Description for [T1430.002] Impersonate SS7 Nodes: Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) By providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.
external_referenceshttps://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html
external_referencesCEL-38
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1053
external_referencesCEL-38
external_referenceshttps://www.youtube.com/watch?v=q0n5ySqbfdI
external_referencesCSRIC-WG1-FinalReport
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 15:06:10.014000+00:002022-04-05 19:54:12.657000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat Catalogue3GPP-Security
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.htmlhttp://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf
external_references[2]['source_name']Engel-SS7CSRIC5-WG10-FinalReport
external_references[2]['description']Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.
external_references[2]['url']https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdfhttps://www.fcc.gov/files/csric5-wg10-finalreport031517pdf
external_references[3]['source_name']Engel-SS7-2008CSRIC-WG1-FinalReport
external_references[3]['description']Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.CSRIC-WG1-FinalReport
external_references[4]['source_name']3GPP-SecurityPositive-SS7
external_references[4]['description']3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.
external_references[4]['url']http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdfhttps://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf
external_references[5]['source_name']Positive-SS7Engel-SS7-2008
external_references[5]['description']Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.
external_references[5]['url']https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdfhttps://www.youtube.com/watch?v=q0n5ySqbfdI
external_references[6]['source_name']CSRIC5-WG10-FinalReportEngel-SS7
external_references[6]['description']Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.
external_references[6]['url']https://www.fcc.gov/files/csric5-wg10-finalreport031517pdfhttps://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf
external_references[7]['source_name']CSRIC-WG1-FinalReportNIST Mobile Threat Catalogue

[T1472] Generate Fraudulent Advertising Revenue

Current version: 1.0

Description: An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.

This object has been revoked by [T1643] Generate Traffic from Victim

Description for [T1643] Generate Traffic from Victim: Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well. If done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1075
values_changed
STIX FieldOld valueNew Value
modified2019-07-03 20:21:22.168000+00:002022-04-06 13:57:49.177000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1581] Geofencing

Current version: 1.0

Description: Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv) [Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. One method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include “Allow only while using the app”, which will effectively prohibit background location collection.(Citation: Android Geofencing API) Similarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services) [Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.

This object has been revoked by [T1627.001] Geofencing

Description for [T1627.001] Geofencing: Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv) [Geofencing](https://attack.mitre.org/techniques/T1627/001) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. One method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1627/001) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include "Allow only while using the app", which will effectively prohibit background location collection. Similarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground. [Geofencing](https://attack.mitre.org/techniques/T1627/001) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2020-10-01 12:43:41.494000+00:002022-03-30 20:43:31.244000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[2]['source_name']Android Geofencing APIApple Location Services
external_references[2]['description']Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020.Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020.
external_references[2]['url']https://developer.android.com/training/location/geofencinghttps://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services
external_references[3]['source_name']Apple Location ServicesAndroid Geofencing API
external_references[3]['description']Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020.Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020.
external_references[3]['url']https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_serviceshttps://developer.android.com/training/location/geofencing

[T1411] Input Prompt

Current version: 2.1

Description: The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information. Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices) Specific approaches to this technique include: ### Impersonate the identity of a legitimate application A malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance) ### Display a prompt on top of a running legitimate application A malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include: * A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background) * A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles) ### Fake device notifications A malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)

This object has been revoked by [T1417.002] GUI Input Capture

Description for [T1417.002] GUI Input Capture: Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices) There are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) Additionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include: * Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background) * Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesA.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.
external_referencesAPP-31
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1014
external_referencesAPP-31
external_referencesGroup-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.
values_changed
STIX FieldOld valueNew Value
modified2020-06-24 15:04:20.321000+00:002022-04-05 19:52:32.190000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueFelt-PhishingOnMobileDevices
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.htmlhttp://w2spconf.com/2011/papers/felt-mobilephishing.pdf
external_references[2]['source_name']Felt-PhishingOnMobileDevicesAndroid Background
external_references[2]['description']A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.
external_references[2]['url']http://w2spconf.com/2011/papers/felt-mobilephishing.pdfhttps://developer.android.com/guide/components/activities/background-starts
external_references[3]['source_name']eset-financeAndroid-getRunningTasks
external_references[3]['description']Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017.
external_references[3]['url']https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29
external_references[4]['source_name']Android-getRunningTasksCloak and Dagger
external_references[4]['description']Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017.Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019.
external_references[4]['url']https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29http://cloak-and-dagger.org/
external_references[5]['source_name']StackOverflow-getRunningAppProcessesGroup IB Gustuff Mar 2019
external_references[5]['description']Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017.Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.
external_references[5]['url']http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packaghttps://www.group-ib.com/blog/gustuff
external_references[6]['source_name']ThreatFabric Cerberuseset-finance
external_references[6]['description']ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.
external_references[6]['url']https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.htmlhttps://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/
external_references[8]['source_name']Android BackgroundXDA Bubbles
external_references[8]['description']Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.
external_references[8]['url']https://developer.android.com/guide/components/activities/background-startshttps://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/
external_references[9]['source_name']Cloak and DaggerNowSecure Android Overlay
external_references[9]['description']Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019.Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.
external_references[9]['url']http://cloak-and-dagger.org/https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/
external_references[10]['source_name']NowSecure Android OverlayThreatFabric Cerberus
external_references[10]['description']Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.
external_references[10]['url']https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html
external_references[11]['source_name']Skycure-AccessibilityStackOverflow-getRunningAppProcesses
external_references[11]['description']Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017.
external_references[11]['url']https://www.skycure.com/blog/accessibility-clickjacking/http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag
external_references[12]['source_name']XDA BubblesSkycure-Accessibility
external_references[12]['description']Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.
external_references[12]['url']https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/https://www.skycure.com/blog/accessibility-clickjacking/
external_references[13]['source_name']Group IB Gustuff Mar 2019NIST Mobile Threat Catalogue
external_references[13]['url']https://www.group-ib.com/blog/gustuffhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html

[T1478] Install Insecure or Malicious Configuration

Current version: 1.0

Description: An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile). For example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)). On iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).

This object has been revoked by [T1632.001] Code Signing Policy Modification

Description for [T1632.001] Code Signing Policy Modification: Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. Mobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesWarren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018.
external_referencesSTA-7
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1081
external_referencesSTA-7
external_referencesWarren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018.
values_changed
STIX FieldOld valueNew Value
modified2021-11-01 18:29:08.293000+00:002022-03-30 18:18:15.903000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueTalos-MDM
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.htmlhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html
external_references[3]['source_name']Talos-MDMNIST Mobile Threat Catalogue
external_references[3]['url']https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.htmlhttps://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html

[T1579] Keychain

Current version: 1.0

Description: Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)

This object has been revoked by [T1634.001] Keychain

Description for [T1634.001] Keychain: Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesApple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020.
external_referencesAUT-11
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesAUT-11
external_referencesV. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020.
values_changed
STIX FieldOld valueNew Value
modified2020-06-24 19:02:46.237000+00:002022-04-01 15:02:43.470000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueApple Keychain Services
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.htmlhttps://developer.apple.com/documentation/security/keychain_services
external_references[2]['source_name']Apple Keychain ServicesElcomsoft Decrypt Keychain
external_references[2]['description']Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020.V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020.
external_references[2]['url']https://developer.apple.com/documentation/security/keychain_serviceshttps://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/
external_references[3]['source_name']Elcomsoft Decrypt KeychainNIST Mobile Threat Catalogue
external_references[3]['url']https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html

[T1452] Manipulate App Store Rankings or Ratings

Current version: 1.0

Description: An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).

This object has been revoked by [T1643] Generate Traffic from Victim

Description for [T1643] Generate Traffic from Victim: Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well. If done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1055
values_changed
STIX FieldOld valueNew Value
modified2019-07-03 20:25:59.845000+00:002022-04-06 13:57:24.726000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1463] Manipulate Device Communication

Current version: 1.1

Description: If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).

This object has been revoked by [T1638] Adversary-in-the-Middle

Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesAdrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016.
external_referencesAPP-1
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1066
external_referencesAPP-1
external_referencesAdrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016.
values_changed
STIX FieldOld valueNew Value
modified2021-07-28 18:45:08.382000+00:002022-04-06 15:44:48.421000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueFireEye-SSL
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.htmlhttps://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html
external_references[2]['source_name']FireEye-SSLNIST Mobile Threat Catalogue
external_references[2]['url']https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.htmlhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html

[T1400] Modify System Partition

Current version: 1.2

Description: If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user. Many Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.

This object has been revoked by [T1625.001] System Runtime API Hijacking

Description for [T1625.001] System Runtime API Hijacking: Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesAndroid. (n.d.). Verified Boot. Retrieved December 21, 2016.
external_referencesAPP-27
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1003
external_referencesAPP-27
external_referencesApple. (2016, May). iOS Security. Retrieved December 21, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-09-04 13:35:57.549000+00:002022-03-30 15:18:21.242000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueAndroid-VerifiedBoot
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.htmlhttps://source.android.com/security/verifiedboot/
external_references[2]['source_name']Android-VerifiedBootApple-iOSSecurityGuide
external_references[2]['description']Android. (n.d.). Verified Boot. Retrieved December 21, 2016.Apple. (2016, May). iOS Security. Retrieved December 21, 2016.
external_references[2]['url']https://source.android.com/security/verifiedboot/https://www.apple.com/business/docs/iOS_Security_Guide.pdf
external_references[3]['source_name']Apple-iOSSecurityGuideNIST Mobile Threat Catalogue
external_references[3]['url']https://www.apple.com/business/docs/iOS_Security_Guide.pdfhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html

[T1507] Network Information Discovery

Current version: 1.0

Description: Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.

This object has been revoked by [T1421] System Network Connections Discovery

Description for [T1421] System Network Connections Discovery: Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. This is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: * `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. * `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. * For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2019-07-10 15:18:16.753000+00:002022-03-31 16:33:55.068000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1410] Network Traffic Capture or Redirection

Current version: 1.0

Description: An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same. A malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple. Alternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic. An adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile. If applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.

This object has been revoked by [T1638] Adversary-in-the-Middle

Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1013
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-15 17:52:24.123000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1468] Remotely Track Device Without Authorization

Current version: 1.1

Description: An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)

This object has been revoked by [T1430.001] Remote Device Management Services

Description for [T1430.001] Remote Device Management Services: An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesBrian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.
external_referencesEMM-7
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1071
external_referencesECO-5
external_referencesBrian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 14:16:59.424000+00:002022-04-05 19:40:25.068000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueKrebs-Location
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.htmlhttps://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/
external_references[2]['url']https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.htmlhttps://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html
external_references[2]['external_id']EMM-7ECO-5
external_references[3]['source_name']Krebs-LocationNIST Mobile Threat Catalogue
external_references[3]['url']https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html

[T1467] Rogue Cellular Base Station

Current version: 1.1

Description: An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).

This object has been revoked by [T1638] Adversary-in-the-Middle

Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesJaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016.
external_referencesCEL-7
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1070
external_referencesCEL-7
external_referencesJaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 15:17:11.346000+00:002022-04-06 15:52:41.578000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueComputerworld-Femtocell
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.htmlhttp://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html
external_references[2]['source_name']Computerworld-FemtocellNIST Mobile Threat Catalogue
external_references[2]['url']http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.htmlhttps://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html

[T1465] Rogue Wi-Fi Access Points

Current version: 1.1

Description: An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).

This object has been revoked by [T1638] Adversary-in-the-Middle

Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesAlex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016.
external_referencesLPN-0
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1068
external_referencesLPN-0
external_referencesAlex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 15:15:18.023000+00:002022-04-06 15:51:11.938000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueKaspersky-DarkHotel
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.htmlhttps://blog.kaspersky.com/darkhotel-apt/6613/
external_references[3]['source_name']Kaspersky-DarkHotelNIST Mobile Threat Catalogue
external_references[3]['url']https://blog.kaspersky.com/darkhotel-apt/6613/https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html

[T1508] Suppress Application Icon

Current version: 1.1

Description: A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. This behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)

This object has been revoked by [T1628.001] Suppress Application Icon

Description for [T1628.001] Suppress Application Icon: A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. This behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) Beginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_contributors['Emily Ratliff, IBM']
values_changed
STIX FieldOld valueNew Value
modified2019-11-14 18:03:26.460000+00:002022-03-30 20:07:33.279000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']android-trojan-steals-paypal-2fasunny-stolen-credentials
external_references[1]['description']Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.
external_references[1]['url']https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/
external_references[2]['source_name']sunny-stolen-credentialsandroid-trojan-steals-paypal-2fa
external_references[2]['description']Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.
external_references[2]['url']https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/

[T1416] URI Hijacking

Current version: 2.0

Description: Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)

This object has been revoked by [T1635.001] URI Hijacking

Description for [T1635.001] URI Hijacking: Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_contributors['Leo Zhang, Trend Micro', 'Steven Du, Trend Micro']
x_mitre_old_attack_idMOB-T1019
values_changed
STIX FieldOld valueNew Value
modified2020-10-01 12:42:21.628000+00:002022-04-01 15:17:21.508000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1576] Uninstall Malicious Application

Current version: 1.0

Description: Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: * Abusing device owner permissions to perform silent uninstallation using device owner API calls. * Abusing root permissions to delete files from the filesystem. * Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.

This object has been revoked by [T1630.001] Uninstall Malicious Application

Description for [T1630.001] Uninstall Malicious Application: Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: * Abusing device owner permissions to perform silent uninstallation using device owner API calls. * Abusing root permissions to delete files from the filesystem. * Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2020-05-26 18:05:37.393000+00:002022-03-30 19:34:09.371000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1618] User Evasion

Current version: 1.0

Description: Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.

This object has been revoked by [T1628.002] User Evasion

Description for [T1628.002] User Evasion: Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2021-10-12 18:13:25.586000+00:002022-04-11 20:06:56.032000+00:00
revokedFalseTrue
external_references[0]['source_name']mitre-mobile-attackmitre-attack
Deprecations

[T1413] Access Sensitive Data in Device Logs

Current version: 1.0

Description: On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1016
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-06 15:37:34.463000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1427] Attack PC via USB Connection

Current version: 1.1

Description: With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesDan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016.
external_referencesPHY-2
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1030
external_referencesPHY-2
external_referencesDan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 14:51:19.932000+00:002022-04-06 15:39:14.695000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueArsTechnica-PoisonTap
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.htmlhttp://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/
external_references[3]['source_name']ArsTechnica-PoisonTapNIST Mobile Threat Catalogue
external_references[3]['url']http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html

[T1436] Commonly Used Port

Current version: 1.0

Description: Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as * TCP:80 (HTTP) * TCP:443 (HTTPS) * TCP:25 (SMTP) * TCP/UDP:53 (DNS) They may use the protocol associated with the port or a completely different protocol.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1039
values_changed
STIX FieldOld valueNew Value
modified2019-06-19 19:25:33.180000+00:002022-04-06 15:40:47.556000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1475] Deliver Malicious App via Authorized App Store

Current version: 1.1

Description: Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices. App stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses: * [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407) * [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406) Adversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang) Adversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer) Adversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesJon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.
external_referencesJon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016.
external_referencesNicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016.
external_referencesRadhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016.
external_referencesThanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016.
external_referencesTielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.
external_referencesECO-4
external_referencesECO-16
external_referencesECO-17
external_referencesAPP-20
external_referencesAPP-21
external_referencesECO-22
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1078
external_referencesECO-4
external_referencesECO-16
external_referencesECO-17
external_referencesAPP-20
external_referencesAPP-21
external_referencesECO-22
external_referencesThanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016.
external_referencesJon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.
external_referencesNicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016.
external_referencesTielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.
external_referencesJon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016.
external_referencesRadhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-10-14 17:42:49.817000+00:002022-04-06 15:41:33.827000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueOberheide-Bouncer
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.htmlhttps://jon.oberheide.org/files/summercon12-bouncer.pdf
external_references[2]['source_name']NIST Mobile Threat CatalogueOberheide-RemoteInstall
external_references[2]['url']https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.htmlhttps://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/
external_references[3]['source_name']NIST Mobile Threat CataloguePercoco-Bouncer
external_references[3]['url']https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.htmlhttps://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf
external_references[4]['source_name']NIST Mobile Threat CatalogueKonoth
external_references[4]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.htmlhttp://www.vvdveen.com/publications/BAndroid.pdf
external_references[5]['source_name']NIST Mobile Threat CataloguePetsas
external_references[5]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.htmlhttp://dl.acm.org/citation.cfm?id=2592796
external_references[6]['source_name']NIST Mobile Threat CatalogueWang
external_references[6]['url']https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.htmlhttps://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei
external_references[7]['source_name']PetsasNIST Mobile Threat Catalogue
external_references[7]['url']http://dl.acm.org/citation.cfm?id=2592796https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html
external_references[8]['source_name']Oberheide-BouncerNIST Mobile Threat Catalogue
external_references[8]['url']https://jon.oberheide.org/files/summercon12-bouncer.pdfhttps://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html
external_references[9]['source_name']Percoco-BouncerNIST Mobile Threat Catalogue
external_references[9]['url']https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdfhttps://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html
external_references[10]['source_name']WangNIST Mobile Threat Catalogue
external_references[10]['url']https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tieleihttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html
external_references[11]['source_name']Oberheide-RemoteInstallNIST Mobile Threat Catalogue
external_references[11]['url']https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html
external_references[12]['source_name']KonothNIST Mobile Threat Catalogue
external_references[12]['url']http://www.vvdveen.com/publications/BAndroid.pdfhttps://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html

[T1476] Deliver Malicious App via Other Means

Current version: 1.2

Description: Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working. Delivery methods for the malicious application include: * [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message. * [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means. * Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird) Some Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesA Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018.
external_referencesJordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018.
external_referencesLukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.
external_referencesAUT-9
external_referencesECO-13
external_referencesECO-21
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1079
external_referencesAUT-9
external_referencesECO-13
external_referencesECO-21
external_referencesJordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018.
external_referencesVeo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018.
external_referencesLukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.
values_changed
STIX FieldOld valueNew Value
modified2021-02-09 14:28:47.076000+00:002022-04-06 15:41:16.863000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueIBTimes-ThirdParty
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.htmlhttps://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861
external_references[2]['source_name']NIST Mobile Threat CatalogueTrendMicro-RootingMalware
external_references[2]['url']https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.htmlhttps://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/
external_references[3]['source_name']NIST Mobile Threat Catalogueandroid-trojan-steals-paypal-2fa
external_references[3]['url']https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.htmlhttps://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/
external_references[4]['source_name']IBTimes-ThirdPartyTrendMicro-FlappyBird
external_references[4]['description']A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018.Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018.
external_references[4]['url']https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/
external_references[5]['source_name']TrendMicro-RootingMalwareNIST Mobile Threat Catalogue
external_references[5]['url']https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html
external_references[6]['source_name']TrendMicro-FlappyBirdNIST Mobile Threat Catalogue
external_references[6]['url']https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html
external_references[7]['source_name']android-trojan-steals-paypal-2faNIST Mobile Threat Catalogue
external_references[7]['url']https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html

[T1449] Exploit SS7 to Redirect Phone Calls/SMS

Current version: 1.2

Description: An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_references3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.
external_referencesCEL-37
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1052
external_referencesCEL-37
external_referencesIain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018.
values_changed
STIX FieldOld valueNew Value
modified2021-07-28 18:43:50.490000+00:002022-04-06 15:53:27.032000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat Catalogue3GPP-Security
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.htmlhttp://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf
external_references[2]['source_name']Engel-SS7CSRIC5-WG10-FinalReport
external_references[2]['description']Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.
external_references[2]['url']https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdfhttps://www.fcc.gov/files/csric5-wg10-finalreport031517pdf
external_references[3]['source_name']Engel-SS7-2008TheRegister-SS7
external_references[3]['description']Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018.
external_references[3]['url']https://www.youtube.com/watch?v=q0n5ySqbfdIhttps://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/
external_references[4]['source_name']3GPP-SecurityPositive-SS7
external_references[4]['description']3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.
external_references[4]['url']http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdfhttps://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf
external_references[5]['source_name']Positive-SS7Engel-SS7-2008
external_references[5]['description']Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.
external_references[5]['url']https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdfhttps://www.youtube.com/watch?v=q0n5ySqbfdI
external_references[6]['source_name']CSRIC5-WG10-FinalReportEngel-SS7
external_references[6]['description']Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.
external_references[6]['url']https://www.fcc.gov/files/csric5-wg10-finalreport031517pdfhttps://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf
external_references[7]['source_name']TheRegister-SS7NIST Mobile Threat Catalogue
external_references[7]['url']https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html

[T1405] Exploit TEE Vulnerability

Current version: 1.0

Description: A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesJan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016.
external_referencesAPP-27
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1008
external_referencesAPP-27
external_referenceslaginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016.
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-06 15:41:57.666000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueEkbergTEE
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.htmlhttps://usmile.at/symposium/program/2015/ekberg
external_references[4]['source_name']EkbergTEElaginimaineb-TEE
external_references[4]['description']Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016.laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016.
external_references[4]['url']https://usmile.at/symposium/program/2015/ekberghttp://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html
external_references[5]['source_name']laginimaineb-TEENIST Mobile Threat Catalogue
external_references[5]['url']http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.htmlhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html

[T1477] Exploit via Radio Interfaces

Current version: 1.1

Description: The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces. ### Baseband Vulnerability Exploitation A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband). ### Malicious SMS Message An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1080
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 15:19:22.439000+00:002022-04-06 15:42:13.444000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']ProjectZero-BroadcomWiFiForbes-iPhoneSMS
external_references[1]['description']Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018.Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016.
external_references[1]['url']https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.htmlhttp://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html
external_references[3]['source_name']Weinmann-BasebandProjectZero-BroadcomWiFi
external_references[3]['description']R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016.Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018.
external_references[3]['url']https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdfhttps://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
external_references[4]['source_name']Forbes-iPhoneSMSWeinmann-Baseband
external_references[4]['description']Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016.R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016.
external_references[4]['url']http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.htmlhttps://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf

[T1444] Masquerade as Legitimate Application

Current version: 2.1

Description: An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application. Embedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method. Pretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox) Malicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesA. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
external_referencesYajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.
external_referencesAPP-31
external_referencesAPP-14
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1047
external_referencesAPP-31
external_referencesAPP-14
external_referencesYajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.
external_referencesA. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
values_changed
STIX FieldOld valueNew Value
modified2020-04-08 15:19:56.147000+00:002022-04-06 15:45:52.558000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CataloguePalo Alto HenBox
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.htmlhttps://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/
external_references[2]['source_name']NIST Mobile Threat CatalogueZhou
external_references[2]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.htmlhttp://ieeexplore.ieee.org/document/6234407
external_references[3]['source_name']ZhouNIST Mobile Threat Catalogue
external_references[3]['url']http://ieeexplore.ieee.org/document/6234407https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html
external_references[4]['source_name']Palo Alto HenBoxNIST Mobile Threat Catalogue
external_references[4]['url']https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html

[T1403] Modify Cached Executable Code

Current version: 1.1

Description: ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1006
values_changed
STIX FieldOld valueNew Value
modified2019-10-09 19:39:32.872000+00:002022-04-06 15:46:29.338000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack

[T1399] Modify Trusted Execution Environment

Current version: 1.1

Description: If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesApple. (2016, May). iOS Security. Retrieved December 21, 2016.
external_referencesAPP-27
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1002
external_referencesAPP-27
external_referencesApple. (2016, May). iOS Security. Retrieved December 21, 2016.
values_changed
STIX FieldOld valueNew Value
modified2019-02-03 14:23:10.576000+00:002022-04-06 15:48:41.647000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueApple-iOSSecurityGuide
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.htmlhttps://www.apple.com/business/docs/iOS_Security_Guide.pdf
external_references[3]['source_name']Apple-iOSSecurityGuideNIST Mobile Threat Catalogue
external_references[3]['url']https://www.apple.com/business/docs/iOS_Security_Guide.pdfhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html

[T1470] Obtain Device Cloud Backups

Current version: 1.0

Description: An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesElcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016.
external_referencesOleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018.
external_referencesECO-0
external_referencesECO-1
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1073
external_referencesECO-0
external_referencesECO-1
external_referencesElcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016.
external_referencesOleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018.
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-06 15:54:11.189000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueElcomsoft-EPPB
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.htmlhttps://www.elcomsoft.com/eppb.html
external_references[2]['source_name']NIST Mobile Threat CatalogueElcomsoft-WhatsApp
external_references[2]['url']https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.htmlhttps://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/
external_references[3]['source_name']Elcomsoft-EPPBNIST Mobile Threat Catalogue
external_references[3]['url']https://www.elcomsoft.com/eppb.htmlhttps://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html
external_references[4]['source_name']Elcomsoft-WhatsAppNIST Mobile Threat Catalogue
external_references[4]['url']https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html

[T1469] Remotely Wipe Data Without Authorization

Current version: 1.0

Description: An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_domains['mobile-attack']
x_mitre_is_subtechniqueFalse
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesMat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016.
external_referencesEMM-7
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1072
external_referencesECO-5
external_referencesMat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016.
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-06 15:54:28.187000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueHonan-Hacking
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.htmlhttps://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
external_references[2]['url']https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.htmlhttps://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html
external_references[2]['external_id']EMM-7ECO-5
external_references[3]['source_name']Honan-HackingNIST Mobile Threat Catalogue
external_references[3]['url']https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html

[T1451] SIM Card Swap

Current version: 1.2

Description: An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswap2) The adversary could then obtain SMS messages or hijack phone calls intended for someone else.(Citation: Betanews-Simswap) One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.(Citation: Guardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_detection
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referencesAlex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016.
external_referencesSTA-22
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-T1054
external_referencesSTA-22
external_referencesJohn Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018.
values_changed
STIX FieldOld valueNew Value
modified2021-09-30 18:45:26.323000+00:002022-04-06 15:53:54.872000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']NIST Mobile Threat CatalogueBetanews-Simswap
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.htmlhttp://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/
external_references[2]['source_name']NYGov-SimswapKrebs-SimSwap
external_references[2]['description']New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016.Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account. Retrieved November 8, 2018.
external_references[2]['url']http://www.dos.ny.gov/consumerprotection/scams/att-sim.htmlhttps://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/
external_references[3]['source_name']Motherboard-Simswap2TechCrunch-SimSwap
external_references[3]['description']Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018.John Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018.
external_references[3]['url']https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scamhttps://techcrunch.com/2017/08/23/i-was-hacked/
external_references[4]['source_name']Betanews-SimswapMotherboard-Simswap2
external_references[4]['description']Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016.Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018.
external_references[4]['url']http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam
external_references[5]['source_name']Guardian-SimswapMotherboard-Simswap1
external_references[5]['description']Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016.Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018.
external_references[5]['url']https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudstershttps://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
external_references[6]['source_name']Motherboard-Simswap1Guardian-Simswap
external_references[6]['description']Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018.Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016.
external_references[6]['url']https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoinhttps://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters
external_references[7]['source_name']Krebs-SimSwapNYGov-Simswap
external_references[7]['description']Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account. Retrieved November 8, 2018.New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016.
external_references[7]['url']https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/http://www.dos.ny.gov/consumerprotection/scams/att-sim.html
external_references[8]['source_name']TechCrunch-SimSwapNIST Mobile Threat Catalogue
external_references[8]['url']https://techcrunch.com/2017/08/23/i-was-hacked/https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html

Software

mobile-attack

Minor Version Changes

[S0182] FinFisher

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 15:32:08.360000+00:002022-03-02 15:47:13.329000+00:00
x_mitre_version1.31.4

[S0490] XLoader for iOS

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2020-10-16 01:48:10.412000+00:002021-12-07 14:46:08.852000+00:00
x_mitre_version1.01.1
Other Version Changes

[S0309] Adups

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['Adups']
x_mitre_old_attack_idMOB-S0025
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0319] Allwinner

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['Allwinner']
x_mitre_old_attack_idMOB-S0035
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0292] AndroRAT

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['AndroRAT']
x_mitre_old_attack_idMOB-S0008
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0293] BrainTest

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referenceshttp://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['BrainTest']
x_mitre_old_attack_idMOB-S0009
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
modified2018-12-11 20:40:31.461000+00:002022-04-15 15:36:43.770000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[1]['source_name']BrainTestCheckPoint-BrainTest
external_references[1]['description'](Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest – A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016.
external_references[2]['source_name']CheckPoint-BrainTestLookout-BrainTest
external_references[2]['description']Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest – A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016.Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.
external_references[2]['url']http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/
x_mitre_version1.11.0
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Lookout-BrainTest', 'description': 'Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.', 'url': 'https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/'}

[S0300] DressCode

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['DressCode']
x_mitre_old_attack_idMOB-S0016
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0315] DualToy

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['DualToy']
x_mitre_old_attack_idMOB-S0031
x_mitre_platforms['Android', 'iOS']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0322] HummingBad

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['HummingBad']
x_mitre_old_attack_idMOB-S0038
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0321] HummingWhale

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['HummingWhale']
x_mitre_old_attack_idMOB-S0037
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0325] Judy

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['Judy']
x_mitre_old_attack_idMOB-S0041
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0288] KeyRaider

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['KeyRaider']
x_mitre_old_attack_idMOB-S0004
x_mitre_platforms['iOS']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0317] Marcher

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referenceshttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['Marcher']
x_mitre_old_attack_idMOB-S0033
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
external_references[1]['source_name']MarcherProofpoint-Marcher
external_references[1]['description'](Citation: Proofpoint-Marcher)Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.
x_mitre_version1.11.0
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Proofpoint-Marcher', 'description': 'Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.', 'url': 'https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks'}

[S0303] MazarBOT

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['MazarBOT']
x_mitre_old_attack_idMOB-S0019
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0299] NotCompatible

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['NotCompatible']
x_mitre_old_attack_idMOB-S0015
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0286] OBAD

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['OBAD']
x_mitre_old_attack_idMOB-S0002
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0285] OldBoot

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['OldBoot']
x_mitre_old_attack_idMOB-S0001
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0291] PJApps

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['PJApps']
x_mitre_old_attack_idMOB-S0007
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0313] RuMMS

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['RuMMS']
x_mitre_old_attack_idMOB-S0029
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0294] ShiftyBug

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['ShiftyBug']
x_mitre_old_attack_idMOB-S0010
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0307] Trojan-SMS.AndroidOS.Agent.ao

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['Trojan-SMS.AndroidOS.Agent.ao']
x_mitre_old_attack_idMOB-S0023
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0306] Trojan-SMS.AndroidOS.FakeInst.a

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['Trojan-SMS.AndroidOS.FakeInst.a']
x_mitre_old_attack_idMOB-S0022
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0308] Trojan-SMS.AndroidOS.OpFake.a

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['Trojan-SMS.AndroidOS.OpFake.a']
x_mitre_old_attack_idMOB-S0024
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0312] WireLurker

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
external_referenceshttps://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['WireLurker']
x_mitre_old_attack_idMOB-S0028
x_mitre_platforms['iOS']
values_changed
STIX FieldOld valueNew Value
external_references[1]['description'](Citation: PaloAlto-WireLurker)Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.
x_mitre_version1.11.0

[S0314] X-Agent for Android

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['X-Agent for Android']
x_mitre_old_attack_idMOB-S0030
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0298] Xbot

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['Xbot']
x_mitre_old_attack_idMOB-S0014
x_mitre_platforms['Android']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0297] XcodeGhost

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['XcodeGhost']
x_mitre_old_attack_idMOB-S0013
x_mitre_platforms['iOS']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0311] YiSpecter

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['YiSpecter']
x_mitre_old_attack_idMOB-S0027
x_mitre_platforms['iOS']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0

[S0287] ZergHelper

Current version: 1.0

Version changed from: 1.1 → 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_aliases['ZergHelper']
x_mitre_old_attack_idMOB-S0003
x_mitre_platforms['iOS']
values_changed
STIX FieldOld valueNew Value
x_mitre_version1.11.0
Patches

[S0320] DroidJack

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-S0036
values_changed
STIX FieldOld valueNew Value
modified2019-08-09 18:02:06.618000+00:002022-05-20 17:13:16.506000+00:00
external_references[0]['source_name']mitre-mobile-attackmitre-attack
external_references[2]['source_name']Zscaler-SuperMarioRunProofpoint-Droidjack
external_references[2]['description']Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.
external_references[2]['url']https://www.zscaler.com/blogs/research/super-mario-run-malware-2-–-droidjack-rathttps://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app
external_references[3]['source_name']Proofpoint-DroidjackZscaler-SuperMarioRun
external_references[3]['description']Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.
external_references[3]['url']https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-apphttps://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat

Groups

mobile-attack

Major Version Changes

[G0007] APT28

Current version: 4.0

Version changed from: 3.2 → 4.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
values_changed
STIX FieldOld valueNew Value
modified2021-10-18 20:34:03.233000+00:002022-03-16 18:08:13.958000+00:00
external_references[2]['source_name']SNAKEMACKERELIRON TWILIGHT
external_references[2]['description'](Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)
external_references[3]['source_name']SwallowtailSNAKEMACKEREL
external_references[3]['description'](Citation: Symantec APT28 Oct 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)
external_references[4]['source_name']Group 74Swallowtail
external_references[4]['description'](Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)
external_references[5]['source_name']SednitGroup 74
external_references[5]['description']This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT.(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)
external_references[6]['source_name']SofacySednit
external_references[6]['description']This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)
external_references[7]['source_name']Pawn StormSofacy
external_references[7]['description'](Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)
external_references[8]['source_name']Fancy BearPawn Storm
external_references[8]['description'](Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020)
external_references[9]['source_name']STRONTIUMFancy Bear
external_references[9]['description'](Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
external_references[10]['source_name']Tsar TeamSTRONTIUM
external_references[10]['description'](Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
external_references[11]['source_name']Threat Group-4127Tsar Team
external_references[11]['description'](Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)
external_references[12]['source_name']TG-4127Threat Group-4127
external_references[13]['source_name']NSA/FBI Drovorub August 2020TG-4127
external_references[13]['description']NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.(Citation: SecureWorks TG-4127)
external_references[14]['source_name']Cybersecurity Advisory GRU Brute Force Campaign July 2021NSA/FBI Drovorub August 2020
external_references[14]['description']NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
external_references[14]['url']https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDFhttps://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
external_references[15]['source_name']DOJ GRU Indictment Jul 2018Cybersecurity Advisory GRU Brute Force Campaign July 2021
external_references[15]['description']Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
external_references[15]['url']https://www.justice.gov/file/1080281/downloadhttps://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
external_references[16]['source_name']Ars Technica GRU indictment Jul 2018DOJ GRU Indictment Jul 2018
external_references[16]['description']Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
external_references[16]['url']https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/https://www.justice.gov/file/1080281/download
external_references[17]['source_name']Crowdstrike DNC June 2016Ars Technica GRU indictment Jul 2018
external_references[17]['description']Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
external_references[17]['url']https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/
external_references[18]['source_name']FireEye APT28Crowdstrike DNC June 2016
external_references[18]['description']FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
external_references[18]['url']https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdfhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
external_references[19]['source_name']SecureWorks TG-4127FireEye APT28
external_references[19]['description']SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
external_references[19]['url']https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaignhttps://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
external_references[20]['source_name']FireEye APT28 January 2017SecureWorks TG-4127
external_references[20]['description']FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
external_references[20]['url']https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdfhttps://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign
external_references[21]['source_name']GRIZZLY STEPPE JARFireEye APT28 January 2017
external_references[21]['description']Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
external_references[21]['url']https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdfhttps://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf
external_references[22]['source_name']Sofacy DealersChoiceGRIZZLY STEPPE JAR
external_references[22]['description']Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
external_references[22]['url']https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
external_references[23]['source_name']Palo Alto Sofacy 06-2018Sofacy DealersChoice
external_references[23]['description']Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
external_references[23]['url']https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/
external_references[24]['source_name']Symantec APT28 Oct 2018Palo Alto Sofacy 06-2018
external_references[24]['description']Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
external_references[24]['url']https://www.symantec.com/blogs/election-security/apt28-espionage-military-governmenthttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
external_references[25]['source_name']ESET Zebrocy May 2019Symantec APT28 Oct 2018
external_references[25]['description']ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
external_references[25]['url']https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/https://www.symantec.com/blogs/election-security/apt28-espionage-military-government
external_references[26]['source_name']US District Court Indictment GRU Oct 2018ESET Zebrocy May 2019
external_references[26]['description']Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
external_references[26]['url']https://www.justice.gov/opa/page/file/1098481/downloadhttps://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
external_references[27]['source_name']Kaspersky SofacyUS District Court Indictment GRU Oct 2018
external_references[27]['description']Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
external_references[27]['url']https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/https://www.justice.gov/opa/page/file/1098481/download
external_references[28]['source_name']ESET Sednit Part 3Kaspersky Sofacy
external_references[28]['description']ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
external_references[28]['url']http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdfhttps://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
external_references[29]['source_name']Talos Seduploader Oct 2017ESET Sednit Part 3
external_references[29]['description']Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
external_references[29]['url']https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.htmlhttp://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
external_references[30]['source_name']Securelist Sofacy Feb 2018Talos Seduploader Oct 2017
external_references[30]['description']Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
external_references[30]['url']https://securelist.com/a-slice-of-2017-sofacy-activity/83930/https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
external_references[31]['source_name']Accenture SNAKEMACKEREL Nov 2018Securelist Sofacy Feb 2018
external_references[31]['description']Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
external_references[31]['url']https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50https://securelist.com/a-slice-of-2017-sofacy-activity/83930/
external_references[32]['source_name']TrendMicro Pawn Storm Dec 2020Secureworks IRON TWILIGHT Profile
external_references[32]['description']Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.
external_references[32]['url']https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.htmlhttps://www.secureworks.com/research/threat-profiles/iron-twilight
external_references[33]['source_name']Microsoft STRONTIUM Aug 2019Secureworks IRON TWILIGHT Active Measures March 2017
external_references[33]['description']MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
external_references[33]['url']https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/https://www.secureworks.com/research/iron-twilight-supports-active-measures
external_references[34]['source_name']Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020Accenture SNAKEMACKEREL Nov 2018
external_references[34]['description']Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
external_references[34]['url']https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50
x_mitre_version3.24.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesIRON TWILIGHT
external_references{'source_name': 'TrendMicro Pawn Storm Dec 2020', 'description': 'Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.', 'url': 'https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html'}
external_references{'source_name': 'Microsoft STRONTIUM Aug 2019', 'description': 'MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.', 'url': 'https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/'}
external_references{'source_name': 'Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020', 'description': 'Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.', 'url': 'https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/'}
Minor Version Changes

[G0034] Sandworm Team

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_contributors['Dragos Threat Intelligence']
x_mitre_deprecatedFalse
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 21:46:19.437000+00:002022-05-23 21:21:17.572000+00:00
external_references[1]['source_name']Sandworm TeamVOODOO BEAR
external_references[1]['description'](Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[3]['source_name']TelebotsSandworm Team
external_references[3]['description'](Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[4]['source_name']IRON VIKINGQuedagh
external_references[4]['description'](Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[6]['source_name']QuedaghTelebots
external_references[6]['description'](Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[7]['source_name']VOODOO BEARIRON VIKING
external_references[7]['description'](Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[8]['source_name']US District Court Indictment GRU Unit 74455 October 2020US District Court Indictment GRU Oct 2018
external_references[8]['description']Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
external_references[8]['url']https://www.justice.gov/opa/press-release/file/1328521/downloadhttps://www.justice.gov/opa/page/file/1098481/download
external_references[9]['source_name']UK NCSC Olympic Attacks October 2020Dragos ELECTRUM
external_references[9]['description']UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.
external_references[9]['url']https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-gameshttps://www.dragos.com/resource/electrum/
external_references[10]['source_name']iSIGHT Sandworm 2014F-Secure BlackEnergy 2014
external_references[10]['description']Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
external_references[10]['url']https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.htmlhttps://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
external_references[11]['source_name']CrowdStrike VOODOO BEARiSIGHT Sandworm 2014
external_references[11]['description']Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
external_references[11]['url']https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html
external_references[12]['source_name']USDOJ Sandworm Feb 2020CrowdStrike VOODOO BEAR
external_references[12]['description']Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.
external_references[12]['url']https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.htmlhttps://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/
external_references[13]['source_name']NCSC Sandworm Feb 2020InfoSecurity Sandworm Oct 2014
external_references[13]['description']NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.
external_references[13]['url']https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisoryhttps://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/
external_references[14]['source_name']US District Court Indictment GRU Oct 2018NCSC Sandworm Feb 2020
external_references[14]['description']Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
external_references[14]['url']https://www.justice.gov/opa/page/file/1098481/downloadhttps://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory
external_references[15]['source_name']F-Secure BlackEnergy 2014USDOJ Sandworm Feb 2020
external_references[15]['description']F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.
external_references[15]['url']https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdfhttps://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html
external_references[16]['source_name']InfoSecurity Sandworm Oct 2014US District Court Indictment GRU Unit 74455 October 2020
external_references[16]['description']Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
external_references[16]['url']https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/https://www.justice.gov/opa/press-release/file/1328521/download
external_references[17]['source_name']Dragos ELECTRUMSecureworks IRON VIKING
external_references[17]['description']Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
external_references[17]['url']https://www.dragos.com/resource/electrum/https://www.secureworks.com/research/threat-profiles/iron-viking
external_references[18]['source_name']Secureworks IRON VIKING UK NCSC Olympic Attacks October 2020
external_references[18]['description']Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
external_references[18]['url']https://www.secureworks.com/research/threat-profiles/iron-vikinghttps://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games
x_mitre_version2.12.2

Mitigations

mobile-attack

Deprecations

[M1005] Application Vetting

Current version: 1.0

Description: Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service. Enterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device. Application Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
values_changed
STIX FieldOld valueNew Value
modified2021-02-18 16:14:17.809000+00:002022-04-06 14:47:46.019000+00:00

[M1007] Caution with Device Administrator Access

Current version: 1.0

Description: Warn device users not to accept requests to grant Device Administrator access to applications without good reason. Additionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
x_mitre_domains['mobile-attack']
x_mitre_modified_by_refidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_old_attack_idMOB-M1007
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002022-04-06 14:47:19.714000+00:00