|
These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
This JSON file contains the machine readble output used to create this page: changelog.json
Current version: 1.0
Description: Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Current version: 1.0
Description: Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts.
Current version: 2.0
Description: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.
Current version: 1.0
Description: Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA. For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).
Current version: 1.0
Description: Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Current version: 1.0
Description: Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. An intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. In addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. In Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)
Current version: 1.0
Description: Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. If the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user’s knowledge or approval.
Current version: 1.0
Description: Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. If the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user’s knowledge or approval.
Current version: 1.0
Description: Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. Mobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.
Current version: 1.0
Description: Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java’s `Runtime` package. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.
Current version: 1.0
Description: Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. Adversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device.
Current version: 1.0
Description: Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system.
Current version: 1.0
Description: Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)
Current version: 1.0
Description: Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
Current version: 1.0
Description: Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. If the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user’s knowledge or approval.
Current version: 1.0
Description: Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
Current version: 1.0
Description: Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.
Current version: 1.0
Description: Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).
Current version: 1.0
Description: Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app. Device administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.
Current version: 1.0
Description: An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018) Prior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.(Citation: Android resetPassword)
Current version: 1.0
Description: Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.
Current version: 1.0
Description: An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)
Current version: 1.0
Description: Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018) DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.
Current version: 1.0
Description: Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
Current version: 1.0
Description: Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword) On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)
Current version: 1.0
Description: Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim’s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.
Current version: 1.0
Description: Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019) Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
Current version: 1.0
Description: Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels.
Current version: 1.0
Description: Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
Current version: 1.0
Description: Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.
Current version: 1.0
Description: Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.
Current version: 1.0
Description: Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices) There are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) Additionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include: * Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background) * Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)
Current version: 1.0
Description: Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well. If done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS
Current version: 1.0
Description: Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv) [Geofencing](https://attack.mitre.org/techniques/T1627/001) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. One method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1627/001) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include "Allow only while using the app", which will effectively prohibit background location collection. Similarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground. [Geofencing](https://attack.mitre.org/techniques/T1627/001) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.
Current version: 1.0
Description: Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application’s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.
Current version: 1.0
Description: Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. There are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.
Current version: 1.0
Description: Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.
Current version: 1.0
Description: Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) By providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7)
Current version: 1.0
Description: Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.
Current version: 1.0
Description: Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)
Current version: 1.0
Description: Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them. Some methods of keylogging include: * Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested. * Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. *Additional methods of keylogging may be possible if root access is available.
Current version: 1.0
Description: Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Current version: 2.0
Description: Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. On Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. On iOS, there is no way to programmatically read push notifications.
Current version: 1.0
Description: Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step. Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.
Current version: 1.0
Description: Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. Both Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.
Current version: 1.0
Description: Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application’s manifest. On iOS, they must be included in the application’s `Info.plist` file. In almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. If the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user’s knowledge or approval.
Current version: 1.0
Description: Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) Ptrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.
Current version: 1.0
Description: An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location)
Current version: 1.0
Description: Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. If the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user’s knowledge or approval.
Current version: 1.0
Description: Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions.
Current version: 1.0
Description: Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Utilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
Current version: 1.0
Description: Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system “Open With” dialogue. Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.
Current version: 1.0
Description: Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.
Current version: 1.0
Description: Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert.
Current version: 1.0
Description: A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. This behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) Beginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)
Current version: 1.0
Description: Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.
Current version: 1.0
Description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Hardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.
Current version: 1.0
Description: Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.
Current version: 1.0
Description: Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making. Manipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact. One method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10. Adversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control. [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)
Current version: 1.0
Description: Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)
Current version: 1.0
Description: Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: * Abusing device owner permissions to perform silent uninstallation using device owner API calls. * Abusing root permissions to delete files from the filesystem. * Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.
Current version: 1.0
Description: Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.
Current version: 1.0
Description: Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.
Current version: 1.0
Description: Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. Adversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment.
Current version: 1.0
Description: Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. Web protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect.
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Data is encrypted before being exfiltrated in order to hide | t | 1 | Adversaries may compress and/or encrypt data that is collect |
| > | the information that is being exfiltrated from detection or | > | ed prior to exfiltration. Compressing data can help to obfus | ||
| > | to make the exfiltration less conspicuous upon inspection by | > | cate its contents and minimize use of network resources. Enc | ||
| > | a defender. The encryption is performed by a utility, progr | > | ryption can be used to hide information that is being exfilt | ||
| > | amming library, or custom algorithm on the data itself and i | > | rated from detection or make exfiltration less conspicuous u | ||
| > | s considered separate from any encryption performed by the c | > | pon inspection by a defender. Both compression and encr | ||
| > | ommand and control or file transfer protocol. Common file fo | > | yption are done prior to exfiltration, and can be performed | ||
| > | rmats that can encrypt files are RAR and zip. | > | using a utility, programming library, or custom algorithm. | ||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-10 15:00:44.181000+00:00 | 2022-04-01 15:01:02.140000+00:00 |
| name | Data Encrypted | Archive Collected Data |
| description | Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file formats that can encrypt files are RAR and zip. | Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm. |
| kill_chain_phases[0]['phase_name'] | exfiltration | collection |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_detection | Many encryption mechanisms are built into standard application-accessible APIs, and are therefore undetectable to the end user. | Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user. |
| x_mitre_version | 1.0 | 2.0 |
Current version: 3.0
Version changed from: 2.0 → 3.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may capture audio to collect information on a us | t | 1 | Adversaries may capture audio to collect information by leve |
| > | er of a mobile device using standard operating system APIs. | > | raging standard operating system APIs of a mobile device. Ex | ||
| > | Adversaries may target audio information such as user conver | > | amples of audio information adversaries may target include u | ||
| > | sations, surroundings, phone calls, or other sensitive infor | > | ser conversations, surroundings, phone calls, or other sensi | ||
| > | mation. Android and iOS, by default, requires that an appli | > | tive information. Android and iOS, by default, require | ||
| > | cation request access to microphone devices from the user. I | > | that applications request device microphone access from the | ||
| > | n Android, applications must hold the <code>android.permissi | > | user. On Android devices, applications must hold the ` | ||
| > | on.RECORD_AUDIO</code> permission to access the microphone a | > | RECORD_AUDIO` permission to access the microphone or the `CA | ||
| > | nd the <code>android.permission.CAPTURE_AUDIO_OUTPUT</code> | > | PTURE_AUDIO_OUTPUT` permission to access audio output. Becau | ||
| > | permission to access audio output such as speakers. Android | > | se Android does not allow third-party applications to hold t | ||
| > | does not allow third-party applications to hold <code>androi | > | he `CAPTURE_AUDIO_OUTPUT` permission by default, only privil | ||
| > | d.permission.CAPTURE_AUDIO_OUTPUT</code>, so audio output ca | > | eged applications, such as those distributed by Google or th | ||
| > | n only be obtained by privileged applications (distributed b | > | e device vendor, can access audio output.(Citation: Android | ||
| > | y Google or the device vendor) or after a successful privile | > | Permissions) However, adversaries may be able to gain this a | ||
| > | ge escalation attack. In iOS, applications must include the | > | ccess after successfully elevating their privileges. With th | ||
| > | `NSMicrophoneUsageDescription` key in their `Info.plist` fil | > | e `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass th | ||
| > | e. | > | e `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaR | ||
| > | ecorder.setAudioOutput`, allowing capture of both voice call | ||||
| > | uplink and downlink.(Citation: Manifest.permission) On | ||||
| > | iOS devices, applications must include the `NSMicrophoneUsa | ||||
| > | geDescription` key in their `Info.plist` file to access the | ||||
| > | microphone.(Citation: Requesting Auth-Media Capture) | ||||
New Mitigations:
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Android Developers. (2022, March 17). Voice Call. Retrieved April 1, 2022. |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1032 | |
| external_references | APP-19 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-09-20 17:59:11.041000+00:00 | 2022-04-29 17:29:49.023000+00:00 |
| name | Capture Audio | Audio Capture |
| description | Adversaries may capture audio to collect information on a user of a mobile device using standard operating system APIs. Adversaries may target audio information such as user conversations, surroundings, phone calls, or other sensitive information.
Android and iOS, by default, requires that an application request access to microphone devices from the user. In Android, applications must hold the android.permission.RECORD_AUDIO permission to access the microphone and the android.permission.CAPTURE_AUDIO_OUTPUT permission to access audio output such as speakers. Android does not allow third-party applications to hold android.permission.CAPTURE_AUDIO_OUTPUT, so audio output can only be obtained by privileged applications (distributed by Google or the device vendor) or after a successful privilege escalation attack. In iOS, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file. | Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. Android and iOS, by default, require that applications request device microphone access from the user. On Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) On iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture) |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Manifest.permission |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html | https://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL |
| x_mitre_detection | On both Android (6.0 and up) and iOS, the user can view which applications have permission to use the microphone through the device settings screen, and the user can choose to revoke the permissions. | In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware) In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators) Android applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. In both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. |
| x_mitre_version | 2.0 | 3.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Requesting Auth-Media Capture', 'description': 'Apple Developers. (n.d.). Requesting Authorization for Media Capture on iOS. Retrieved April 1, 2022.', 'url': 'https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios'} | |
| external_references | {'source_name': 'Android Permissions', 'description': 'Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.', 'url': 'https://developer.android.com/reference/android/Manifest.permission'} | |
| external_references | {'source_name': 'Android Privacy Indicators', 'description': 'Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.', 'url': 'https://source.android.com/devices/tech/config/privacy-indicators'} | |
| external_references | {'source_name': 'iOS Mic Spyware', 'description': 'ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.', 'url': 'https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html', 'external_id': 'APP-19'} |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | If an adversary can escalate privileges, he or she may be ab | t | 1 | Adversaries may use scripts automatically executed at boot o |
| > | le to use those privileges to place malicious code in the de | > | r logon initialization to establish persistence. Initializat | ||
| > | vice kernel or other boot partition components, where the co | > | ion scripts are part of the underlying operating system and | ||
| > | de may evade detection, may persist after device resets, and | > | are not accessible to the user unless the device has been ro | ||
| > | may not be removable by the device user. In some cases (e.g | > | oted or jailbroken. | ||
| > | ., the Samsung Knox warranty bit as described under Detectio | ||||
| > | n), the attack may be detected but could result in the devic | ||||
| > | e being placed in a state that no longer allows certain func | ||||
| > | tionality. Many Android devices provide the ability to unlo | ||||
| > | ck the bootloader for development purposes, but doing so int | ||||
| > | roduces the potential ability for others to maliciously upda | ||||
| > | te the kernel or other boot partition code. If the bootload | ||||
| > | er is not unlocked, it may still be possible to exploit devi | ||||
| > | ce vulnerabilities to update the code. | ||||
New Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Android. (n.d.). Verified Boot. Retrieved December 21, 2016. | |
| external_references | APP-27 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1001 | |
| external_references | APP-26 | |
| external_references | Samsung. (n.d.). What is a Knox Warranty Bit and how is it triggered?. Retrieved December 21, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-11 14:33:11.096000+00:00 |
| name | Modify OS Kernel or Boot Partition | Boot or Logon Initialization Scripts |
| description | If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality. Many Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code. If the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code. | Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. |
| kill_chain_phases[0]['phase_name'] | defense-evasion | persistence |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Android-VerifiedBoot |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html | https://source.android.com/security/verifiedboot/ |
| external_references[2]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html |
| external_references[2]['external_id'] | APP-27 | APP-26 |
| external_references[3]['source_name'] | Samsung-KnoxWarrantyBit | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://www2.samsungknox.com/en/faq/what-knox-warranty-bit-and-how-it-triggered | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html |
| x_mitre_detection | The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices. Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices. Samsung KNOX devices include a non-reversible Knox warranty bit fuse that is triggered "if a non-Knox kernel has been loaded on the device" (Citation: Samsung-KnoxWarrantyBit). If triggered, enterprise Knox container services will no longer be available on the device. As described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected. Many enterprise applications perform their own checks to detect and respond to compromised devices. These checks are not foolproof but can detect common signs of compromise. | On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| kill_chain_phases | {'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'persistence'} | |
| external_references | {'source_name': 'Apple-iOSSecurityGuide', 'description': 'Apple. (2016, May). iOS Security. Retrieved December 21, 2016.', 'url': 'https://www.apple.com/business/docs/iOS_Security_Guide.pdf'} |
Current version: 3.0
Version changed from: 2.0 → 3.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse Clipboard Manager APIs to obtain sensi | t | 1 | Adversaries may abuse clipboard manager APIs to obtain sensi |
| > | tive information copied to the global clipboard. For example | > | tive information copied to the device clipboard. For example | ||
| > | , passwords being copy-and-pasted from a password manager ap | > | , passwords being copied and pasted from a password manager | ||
| > | p could be captured by another application installed on the | > | application could be captured by a malicious application ins | ||
| > | device.(Citation: Fahl-Clipboard) On Android, <code>Clipboa | > | talled on the device.(Citation: Fahl-Clipboard) On Andr | ||
| > | rdManager.OnPrimaryClipChangedListener</code> can be used by | > | oid, applications can use the `ClipboardManager.OnPrimaryCli | ||
| > | applications to register as a listener and monitor the clip | > | pChangedListener()` API to register as a listener and monito | ||
| > | board for changes.(Citation: Github Capture Clipboard 2019) | > | r the clipboard for changes. However, starting in Android 10 | ||
| > | Android 10 mitigates this technique by preventing applicati | > | , this can only be used if the application is in the foregro | ||
| > | ons from accessing clipboard data unless the application is | > | und, or is set as the device’s default input method editor ( | ||
| > | on the foreground or is set as the device’s default input me | > | IME).(Citation: Github Capture Clipboard 2019)(Citation: And | ||
| > | thod editor (IME).(Citation: Android 10 Privacy Changes) | > | roid 10 Privacy Changes) On iOS, this can be accomplish | ||
| > | ed by accessing the `UIPasteboard.general.string` field. How | ||||
| > | ever, starting in iOS 14, upon accessing the clipboard, the | ||||
| > | user will be shown a system notification if the accessed tex | ||||
| > | t originated in a different application. For example, if the | ||||
| > | user copies the text of an iMessage from the Messages appli | ||||
| > | cation, the notification will read “application_name has pas | ||||
| > | ted from Messages” when the text was pasted in a different a | ||||
| > | pplication.(Citation: UIPPasteboard) | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1017 | |
| external_references | APP-35 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-09-13 20:46:26.223000+00:00 | 2022-04-19 19:29:45.323000+00:00 |
| name | Capture Clipboard Data | Clipboard Data |
| description | Adversaries may abuse Clipboard Manager APIs to obtain sensitive information copied to the global clipboard. For example, passwords being copy-and-pasted from a password manager app could be captured by another application installed on the device.(Citation: Fahl-Clipboard)
On Android, ClipboardManager.OnPrimaryClipChangedListener can be used by applications to register as a listener and monitor the clipboard for changes.(Citation: Github Capture Clipboard 2019)
Android 10 mitigates this technique by preventing applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).(Citation: Android 10 Privacy Changes) | Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) On Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) On iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.(Citation: UIPPasteboard) |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Android 10 Privacy Changes |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html | https://developer.android.com/about/versions/10/privacy/changes#clipboard-data |
| external_references[2]['source_name'] | Fahl-Clipboard | UIPPasteboard |
| external_references[2]['description'] | Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved August 27, 2019. | Apple Developer. (n.d.). UIPasteboard. Retrieved April 1, 2022. |
| external_references[2]['url'] | http://saschafahl.de/static/paper/pwmanagers2013.pdf | https://developer.apple.com/documentation/uikit/uipasteboard |
| external_references[3]['source_name'] | Github Capture Clipboard 2019 | Fahl-Clipboard |
| external_references[3]['description'] | Pearce, G. (, January). Retrieved August 8, 2019. | Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved August 27, 2019. |
| external_references[3]['url'] | https://github.com/grepx/android-clipboard-security | http://saschafahl.de/static/paper/pwmanagers2013.pdf |
| external_references[4]['source_name'] | Android 10 Privacy Changes | Github Capture Clipboard 2019 |
| external_references[4]['description'] | Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019. | Pearce, G. (, January). Retrieved August 8, 2019. |
| external_references[4]['url'] | https://developer.android.com/about/versions/10/privacy/changes#clipboard-data | https://github.com/grepx/android-clipboard-security |
| x_mitre_detection | Capturing clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. | Application vetting services could detect usage of standard clipboard APIs. |
| x_mitre_version | 2.0 | 3.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html', 'external_id': 'APP-35'} |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | As described by [Drive-by Compromise](https://attack.mitre.o | t | 1 | Adversaries may gain access to a system through a user visit |
| > | rg/techniques/T1189), a drive-by compromise is when an adver | > | ing a website over the normal course of browsing. With this | ||
| > | sary gains access to a system through a user visiting a webs | > | technique, the user's web browser is typically targeted for | ||
| > | ite over the normal course of browsing. With this technique, | > | exploitation, but adversaries may also use compromised websi | ||
| > | the user's web browser is targeted for exploitation. For ex | > | tes for non-exploitation behavior such as acquiring an [Appl | ||
| > | ample, a website may contain malicious media content intende | > | ication Access Token](https://attack.mitre.org/techniques/T1 | ||
| > | d to exploit vulnerabilities in media parsers as demonstrate | > | 550/001). Multiple ways of delivering exploit code to a bro | ||
| > | d by the Android Stagefright vulnerability (Citation: Zimpe | > | wser exist, including: * A legitimate website is compromise | ||
| > | rium-Stagefright). (This technique was formerly known as Ma | > | d where adversaries have injected some form of malicious cod | ||
| > | licious Web Content. It has been renamed to better align wit | > | e such as JavaScript, iFrames, and cross-site scripting. * M | ||
| > | h ATT&CK for Enterprise.) | > | alicious ads are paid for and served through legitimate ad p | ||
| > | roviders. * Built-in web application interfaces are leverage | ||||
| > | d for the insertion of any other kind of object that can be | ||||
| > | used to display web content or contain a script that execute | ||||
| > | s on the visiting client (e.g. forum posts, comments, and ot | ||||
| > | her user controllable web content). Often the website used | ||||
| > | by an adversary is one visited by a specific community, such | ||||
| > | as government, a particular industry, or region, where the | ||||
| > | goal is to compromise a specific user or set of users based | ||||
| > | on a shared interest. This kind of targeted attack is referr | ||||
| > | ed to a strategic web compromise or watering hole attack. Th | ||||
| > | ere are several known examples of this occurring.(Citation: | ||||
| > | Lookout-StealthMango) Typical drive-by compromise process: | ||||
| > | 1. A user visits a website that is used to host the adversa | ||||
| > | ry controlled content. 2. Scripts automatically execute, typ | ||||
| > | ically searching versions of the browser and plugins for a p | ||||
| > | otentially vulnerable version. * The user may be requir | ||||
| > | ed to assist in this process by enabling scripting or active | ||||
| > | website components and ignoring warning dialog boxes. 3. Up | ||||
| > | on finding a vulnerable version, exploit code is delivered t | ||||
| > | o the browser. 4. If exploitation is successful, then it wil | ||||
| > | l give the adversary code execution on the user's system unl | ||||
| > | ess other protections are in place. * In some cases a se | ||||
| > | cond visit to the website after the initial scan is required | ||||
| > | before exploit code is delivered. | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Mobile security products can often alert the user if their device is vulnerable to known exploits. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018. | |
| external_references | CEL-22 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1059 | |
| external_references | CEL-22 | |
| external_references | Zimperium. (2015, January 27). Experts Found a Unicorn in the Heart of Android. Retrieved December 23, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-19 15:32:30.837000+00:00 |
| name | Drive-by Compromise | Drive-By Compromise |
| description | As described by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright). (This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.) | Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Multiple ways of delivering exploit code to a browser exist, including: * A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting. * Malicious ads are paid for and served through legitimate ad providers. * Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content). Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango) Typical drive-by compromise process: 1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place. * In some cases a second visit to the website after the initial scan is required before exploit code is delivered. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Lookout-StealthMango |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html | https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf |
| external_references[2]['source_name'] | Zimperium-Stagefright | NIST Mobile Threat Catalogue |
| external_references[2]['url'] | https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/ | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html |
| x_mitre_version | 1.0 | 2.0 |
Current version: 2.0
Version changed from: 1.0 → 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-01 14:18:47.762000+00:00 | 2022-04-05 20:11:35.852000+00:00 |
| name | Standard Cryptographic Protocol | Encrypted Channel |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_detection | Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is undetectable to the user. | Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user. |
| x_mitre_version | 1.0 | 2.0 |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | A malicious app can exploit unpatched vulnerabilities in the | t | 1 | Adversaries may exploit software vulnerabilities in order to |
| > | operating system to obtain escalated privileges. | > | to elevate privileges. Exploitation of a software vulnerabi | ||
| > | lity occurs when an adversary takes advantage of a programmi | ||||
| > | ng error in an application, service, within the operating sy | ||||
| > | stem software, or kernel itself to execute adversary-control | ||||
| > | led code. Security constructions, such as permission levels, | ||||
| > | will often hinder access to information and use of certain | ||||
| > | techniques. Adversaries will likely need to perform privileg | ||||
| > | e escalation to include use of software exploitation to circ | ||||
| > | umvent those restrictions. When initially gaining access t | ||||
| > | o a device, an adversary may be operating within a lower pri | ||||
| > | vileged process which will prevent them from accessing certa | ||||
| > | in resources on the system. Vulnerabilities may exist, usual | ||||
| > | ly in operating system components and applications running a | ||||
| > | t higher permissions, that can be exploited to gain higher l | ||||
| > | evels of access on the system. This could enable someone to | ||||
| > | move from unprivileged or user- level permission to root per | ||||
| > | missions depending on the component that is vulnerable. | ||||
New Mitigations:
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1007 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-03-30 15:51:08.258000+00:00 |
| name | Exploit OS Vulnerability | Exploitation for Privilege Escalation |
| description | A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges. | Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 1.0 | 2.0 |
Current version: 2.0
Version changed from: 1.0 → 2.0
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Google. (n.d.). Sensors Overview. Retrieved November 19, 2019. | |
| external_references | APP-19 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | APP-19 | |
| external_references | Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-12-26 16:14:33.302000+00:00 | 2022-04-08 15:38:03.160000+00:00 |
| kill_chain_phases[0]['phase_name'] | collection | defense-evasion |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Android-SensorsOverview |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html | https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices |
| external_references[2]['source_name'] | Android-SensorsOverview | Android-ForegroundServices |
| external_references[2]['description'] | Google. (n.d.). Sensors Overview. Retrieved November 19, 2019. | Google. (n.d.). Services overview. Retrieved November 19, 2019. |
| external_references[2]['url'] | https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices | https://developer.android.com/guide/components/services.html#Foreground |
| external_references[3]['source_name'] | Android-ForegroundServices | TrendMicro-Yellow Camera |
| external_references[3]['description'] | Google. (n.d.). Services overview. Retrieved November 19, 2019. | Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019. |
| external_references[3]['url'] | https://developer.android.com/guide/components/services.html#Foreground | https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/ |
| external_references[5]['source_name'] | TrendMicro-Yellow Camera | NIST Mobile Threat Catalogue |
| external_references[5]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/ | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html |
| x_mitre_detection | Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. | Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found. |
| x_mitre_version | 1.0 | 2.0 |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Files may be copied from one system to another to stage adve | t | 1 | Adversaries may transfer tools or other files from an extern |
| > | rsary tools or other files over the course of an operation. | > | al system onto a compromised device to facilitate follow-on | ||
| > | Files may be copied from an external adversary-controlled sy | > | actions. Files may be copied from an external adversary-cont | ||
| > | stem through the Command and Control channel to bring tools | > | rolled system through the command and control channel or th | ||
| > | into the victim network or onto the victim’s device. | > | rough alternate protocols with another tool such as FTP. | ||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-01-21 15:27:30.182000+00:00 | 2022-04-06 14:46:25.107000+00:00 |
| name | Remote File Copy | Ingress Tool Transfer |
| description | Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or onto the victim’s device. | Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_detection | Downloading remote files is common application behavior and is therefore typically undetectable to the end user. | Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution. |
| x_mitre_version | 1.0 | 2.0 |
Current version: 2.0
Version changed from: 1.0 → 2.0
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-04-28 18:34:15.373000+00:00 | 2022-04-08 15:46:24.495000+00:00 |
| name | Native Code | Native API |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 1.0 | 2.0 |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use non-standard ports to exfiltrate informa | t | 1 | Adversaries may generate network traffic using a protocol an |
| > | tion. | > | d port paring that are typically not associated. For example | ||
| > | , HTTPS over port 8088 or port 587 as opposed to the traditi | ||||
| > | onal port 443. Adversaries may make changes to the standard | ||||
| > | port used by a protocol to bypass filtering or muddle analys | ||||
| > | is/parsing of network data. | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-09-11 13:27:50.344000+00:00 | 2022-04-06 14:50:16.409000+00:00 |
| name | Uncommonly Used Port | Non-Standard Port |
| description | Adversaries may use non-standard ports to exfiltrate information. | Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_detection | Detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports. | Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports. |
| x_mitre_version | 1.0 | 2.0 |
Current version: 3.0
Version changed from: 2.0 → 3.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An app could contain malicious code in obfuscated or encrypt | t | 1 | Adversaries may attempt to make a payload or file difficult |
| > | ed form, then deobfuscate or decrypt the code at runtime to | > | to discover or analyze by encrypting, encoding, or otherwise | ||
| > | evade many app vetting techniques.(Citation: Rastogi) (Citat | > | obfuscating its contents on the device or in transit. This | ||
| > | ion: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS) | > | is common behavior that can be used across different platfor | ||
| > | ms and the network to evade defenses. Payloads may be com | ||||
| > | pressed, archived, or encrypted in order to avoid detection. | ||||
| > | These payloads may be used during Initial Access or later t | ||||
| > | o mitigate detection. Portions of files can also be encoded | ||||
| > | to hide the plaintext strings that would otherwise help defe | ||||
| > | nders with discovery. Payloads may also be split into separa | ||||
| > | te, seemingly benign files that only reveal malicious functi | ||||
| > | onality when reassembled.(Citation: Microsoft MalLockerB) | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020. | |
| external_references | APP-21 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1009 | |
| external_references | APP-21 | |
| external_references | Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-09-23 13:26:01.263000+00:00 | 2022-04-06 12:36:31.652000+00:00 |
| description | An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques.(Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS) | Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Microsoft MalLockerB |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html | https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/ |
| external_references[2]['source_name'] | Rastogi | NIST Mobile Threat Catalogue |
| external_references[2]['url'] | http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html |
| x_mitre_detection | Malicious obfuscation of files or information can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior. | Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code. |
| x_mitre_version | 2.0 | 3.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Zhou', 'description': 'Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.', 'url': 'http://ieeexplore.ieee.org/document/6234407'} | |
| external_references | {'source_name': 'TrendMicro-Obad', 'description': 'Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.', 'url': 'http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/'} | |
| external_references | {'source_name': 'Xiao-iOS', 'description': 'Claud Xiao. (2016, July). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved December 9, 2016.', 'url': 'http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao'} |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | On Android versions prior to 5, applications can observe inf | t | 1 | Adversaries may attempt to get information about running pro |
| > | ormation about other processes that are running through meth | > | cesses on a device. Information obtained could be used to ga | ||
| > | ods in the ActivityManager class. On Android versions prior | > | in an understanding of common software/applications running | ||
| > | to 7, applications can obtain this information by executing | > | on devices within a network. Adversaries may use the informa | ||
| > | the <code>ps</code> command, or by examining the <code>/proc | > | tion from [Process Discovery](https://attack.mitre.org/techn | ||
| > | </code> directory. Starting in Android version 7, use of the | > | iques/T1424) during automated discovery to shape follow-on b | ||
| > | Linux kernel's <code>hidepid</code> feature prevents applic | > | ehaviors, including whether or not the adversary fully infec | ||
| > | ations (without escalated privileges) from accessing this in | > | ts the target and/or attempts specific actions. Recent | ||
| > | formation (Citation: Android-SELinuxChanges). | > | Android security enhancements have made it more difficult to | ||
| > | obtain a list of running processes. On Android 7 and later, | ||||
| > | there is no way for an application to obtain the process li | ||||
| > | st without abusing elevated privileges. This is due to the A | ||||
| > | ndroid kernel utilizing the `hidepid` mount feature. Prior t | ||||
| > | o Android 7, applications could utilize the `ps` command or | ||||
| > | examine the `/proc` directory on the device.(Citation: Andro | ||||
| > | id-SELinuxChanges) In iOS, applications have previously | ||||
| > | been able to use the `sysctl` command to obtain a list of r | ||||
| > | unning processes. This functionality has been removed in lat | ||||
| > | er iOS versions. | ||||
New Mitigations:
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1027 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-03-30 20:32:19.942000+00:00 |
| description | On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges). | Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Recent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) In iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_platforms | iOS |
Current version: 2.0
Version changed from: 1.1 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | If the mobile device is connected (typically via USB) to a c | t | 1 | Adversaries may move onto devices by exploiting or copying m |
| > | harging station or a PC, for example to charge the device's | > | alware to devices connected via USB. In the case of Lateral | ||
| > | battery, then a compromised or malicious charging station or | > | Movement, adversaries may utilize the physical connection of | ||
| > | PC could attempt to exploit the mobile device via the conne | > | a device to a compromised or malicious charging station or | ||
| > | ction(Citation: Krebs-JuiceJacking). Previous demonstration | > | PC to bypass application store requirements and install mali | ||
| > | s have included: * Injecting malicious applications into iO | > | cious applications directly.(Citation: Lau-Mactans) In the c | ||
| > | S devices(Citation: Lau-Mactans). * Exploiting a Nexus 6 or | > | ase of Initial Access, adversaries may attempt to exploit th | ||
| > | 6P device over USB and gaining the ability to perform action | > | e device via the connection to gain access to data stored on | ||
| > | s including intercepting phone calls, intercepting network t | > | the device.(Citation: Krebs-JuiceJacking) Examples of this | ||
| > | raffic, and obtaining the device physical location(Citation: | > | include: * Exploiting insecure bootloaders in a Nexus 6 o | ||
| > | IBM-NexusUSB). * Exploiting Android devices such as the Goo | > | r 6P device over USB and gaining the ability to perform acti | ||
| > | gle Pixel 2 over USB(Citation: GoogleProjectZero-OATmeal). | > | ons including intercepting phone calls, intercepting network | ||
| > | Products from Cellebrite and Grayshift purportedly can use p | > | traffic, and obtaining the device physical location.(Citati | ||
| > | hysical access to the data port to unlock the passcode on so | > | on: IBM-NexusUSB) * Exploiting weakly-enforced security bou | ||
| > | me iOS devices(Citation: Computerworld-iPhoneCracking). | > | ndaries in Android devices such as the Google Pixel 2 over U | ||
| > | SB.(Citation: GoogleProjectZero-OATmeal) * Products from Ce | ||||
| > | llebrite and Grayshift purportedly that can exploit some iOS | ||||
| > | devices using physical access to the data port to unlock th | ||||
| > | e passcode.(Citation: Computerworld-iPhoneCracking) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016. | |
| external_references | PHY-1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1061 | |
| external_references | PHY-1 | |
| external_references | Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved September 21, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 15:10:41.460000+00:00 | 2022-04-08 15:53:11.864000+00:00 |
| name | Exploit via Charging Station or PC | Replication Through Removable Media |
| description | If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection(Citation: Krebs-JuiceJacking). Previous demonstrations have included: * Injecting malicious applications into iOS devices(Citation: Lau-Mactans). * Exploiting a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location(Citation: IBM-NexusUSB). * Exploiting Android devices such as the Google Pixel 2 over USB(Citation: GoogleProjectZero-OATmeal). Products from Cellebrite and Grayshift purportedly can use physical access to the data port to unlock the passcode on some iOS devices(Citation: Computerworld-iPhoneCracking). | Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: * Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) * Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) * Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Krebs-JuiceJacking |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html | http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/ |
| external_references[2]['source_name'] | Krebs-JuiceJacking | GoogleProjectZero-OATmeal |
| external_references[2]['description'] | Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016. | Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018. |
| external_references[2]['url'] | http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/ | https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html |
| external_references[4]['source_name'] | IBM-NexusUSB | Computerworld-iPhoneCracking |
| external_references[4]['description'] | Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017. | Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved September 21, 2018. |
| external_references[4]['url'] | https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/ | https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html |
| external_references[5]['source_name'] | GoogleProjectZero-OATmeal | IBM-NexusUSB |
| external_references[5]['description'] | Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018. | Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017. |
| external_references[5]['url'] | https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html | https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/ |
| external_references[6]['source_name'] | Computerworld-iPhoneCracking | NIST Mobile Threat Catalogue |
| external_references[6]['url'] | https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html | https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| kill_chain_phases | {'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'lateral-movement'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html', 'external_id': 'PHY-2'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html', 'external_id': 'STA-6'} |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may seek to identify all applications installed | t | 1 | Adversaries may attempt to get a listing of applications tha |
| > | on the device. One use case for doing so is to identify the | > | t are installed on a device. Adversaries may use the informa | ||
| > | presence of endpoint security applications that may increase | > | tion from [Software Discovery](https://attack.mitre.org/tech | ||
| > | the adversary's risk of detection. Another use case is to i | > | niques/T1418) during automated discovery to shape follow-on | ||
| > | dentify the presence of applications that the adversary may | > | behaviors, including whether or not to fully infect the targ | ||
| > | wish to target. On Android, applications can use methods in | > | et and/or attempts specific actions. Adversaries may at | ||
| > | the PackageManager class (Citation: Android-PackageManager) | > | tempt to enumerate applications for a variety of reasons, su | ||
| > | to enumerate other apps installed on device, or an entity w | > | ch as figuring out what security measures are present or to | ||
| > | ith shell access can use the pm command line tool. On iOS, | > | identify the presence of target applications. | ||
| > | apps can use private API calls to obtain a list of other app | ||||
| > | s installed on the device. (Citation: Kurtz-MaliciousiOSApps | ||||
| > | ) However, use of private API calls will likely prevent the | ||||
| > | application from being distributed through Apple's App Store | ||||
| > | . | ||||
New Mitigations:
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | APP-12 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1021 | |
| external_references | Android. (n.d.). PackageManager. Retrieved December 21, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-03-30 20:41:40.719000+00:00 |
| name | Application Discovery | Software Discovery |
| description | Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target. On Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool. On iOS, apps can use private API calls to obtain a list of other apps installed on the device. (Citation: Kurtz-MaliciousiOSApps) However, use of private API calls will likely prevent the application from being distributed through Apple's App Store. | Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. Adversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. |
| kill_chain_phases[0]['phase_name'] | defense-evasion | discovery |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | Android-PackageManager | NIST Mobile Threat Catalogue |
| external_references[1]['url'] | https://developer.android.com/reference/android/content/pm/PackageManager.html | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| kill_chain_phases | {'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'discovery'} | |
| external_references | {'source_name': 'Kurtz-MaliciousiOSApps', 'description': 'Andreas Kurtz. (2014, September 18). Malicious iOS Apps. Retrieved December 21, 2016.', 'url': 'https://andreas-kurtz.de/2014/09/malicious-ios-apps/'} |
Current version: 3.0
Version changed from: 2.0 → 3.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may access and collect application data resident | t | 1 | Adversaries may try to access and collect application data r |
| > | on the device. Adversaries often target popular application | > | esident on the device. Adversaries often target popular appl | ||
| > | s such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus | > | ications, such as Facebook, WeChat, and Gmail.(Citation: SWB | ||
| > | March 2019) This technique requires either escalated privil | > | Exodus March 2019) Due to mobile OS sandboxing, this t | ||
| > | eges or for the targeted app to have stored the data in an i | > | echnique is only possible in three scenarios: * An appl | ||
| > | nsecure manner (e.g., with insecure file permissions or in a | > | ication stores files in unprotected external storage * An a | ||
| > | n insecure location such as an external storage directory). | > | pplication stores files in its internal storage directory wi | ||
| > | th insecure permissions (e.g. 777) * The adversary gains ro | ||||
| > | ot permissions on the device | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. | |
| external_references | AUT-0 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1012 | |
| external_references | AUT-0 | |
| external_references | Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-10 14:17:48.920000+00:00 | 2022-04-11 19:41:54.022000+00:00 |
| name | Access Stored Application Data | Stored Application Data |
| description | Adversaries may access and collect application data resident on the device. Adversaries often target popular applications such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory). | Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) Due to mobile OS sandboxing, this technique is only possible in three scenarios: * An application stores files in unprotected external storage * An application stores files in its internal storage directory with insecure permissions (e.g. 777) * The adversary gains root permissions on the device |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | SWB Exodus March 2019 |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html | https://securitywithoutborders.org/blog/2019/03/29/exodus.html |
| external_references[2]['source_name'] | SWB Exodus March 2019 | NIST Mobile Threat Catalogue |
| external_references[2]['url'] | https://securitywithoutborders.org/blog/2019/03/29/exodus.html | https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html |
| x_mitre_detection | Accessing stored application data can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. | Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage. |
| x_mitre_version | 2.0 | 3.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| kill_chain_phases | {'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'credential-access'} |
Current version: 2.0
Version changed from: 1.1 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | As further described in [Supply Chain Compromise](https://at | t | 1 | Adversaries may manipulate products or product delivery mech |
| > | tack.mitre.org/techniques/T1195), supply chain compromise is | > | anisms prior to receipt by a final consumer for the purpose | ||
| > | the manipulation of products or product delivery mechanisms | > | of data or system compromise. Supply chain compromise can t | ||
| > | prior to receipt by a final consumer for the purpose of dat | > | ake place at any stage of the supply chain including: * Man | ||
| > | a or system compromise. Somewhat related, adversaries could | > | ipulation of development tools * Manipulation of a developme | ||
| > | also identify and exploit inadvertently present vulnerabilit | > | nt environment * Manipulation of source code repositories (p | ||
| > | ies. In many cases, it may be difficult to be certain whethe | > | ublic or private) * Manipulation of source code in open-sour | ||
| > | r exploitable functionality is due to malicious intent or si | > | ce dependencies * Manipulation of software update/distributi | ||
| > | mply inadvertent mistake. Third-party libraries incorporate | > | on mechanisms * Compromised/infected system images * Replace | ||
| > | d into mobile apps could contain malicious behavior, privacy | > | ment of legitimate software with modified versions * Sales o | ||
| > | -invasive behavior, or exploitable vulnerabilities. An adver | > | f modified/counterfeit products to legitimate distributors * | ||
| > | sary could deliberately insert malicious behavior or could e | > | Shipment interdiction While supply chain compromise can im | ||
| > | xploit inadvertent vulnerabilities. For example, security is | > | pact any component of hardware or software, attackers lookin | ||
| > | sues have previously been identified in third-party advertis | > | g to gain execution have often focused on malicious addition | ||
| > | ing libraries incorporated into apps.(Citation: NowSecure-Re | > | s to legitimate software in software distribution or update | ||
| > | moteCode)(Citation: Grace-Advertisement). | > | channels. Targeting may be specific to a desired victim set | ||
| > | or malicious software may be distributed to a broad set of c | ||||
| > | onsumers but only move on to additional tactics on specific | ||||
| > | victims. Popular open source projects that are used as depe | ||||
| > | ndencies in many applications may also be targeted as a mean | ||||
| > | s to add malicious code to users of the dependency, specific | ||||
| > | ally with the widespread usage of third-party advertising li | ||||
| > | braries.(Citation: Grace-Advertisement)(Citation: NowSecure- | ||||
| > | RemoteCode) | ||||
New Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016. | |
| external_references | APP-6 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1077 | |
| external_references | APP-6 | |
| external_references | M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2021-03-10 21:06:37.536000+00:00 | 2022-03-28 19:41:56.018000+00:00 |
| description | As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake. Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, security issues have previously been identified in third-party advertising libraries incorporated into apps.(Citation: NowSecure-RemoteCode)(Citation: Grace-Advertisement). | Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: * Manipulation of development tools * Manipulation of a development environment * Manipulation of source code repositories (public or private) * Manipulation of source code in open-source dependencies * Manipulation of software update/distribution mechanisms * Compromised/infected system images * Replacement of legitimate software with modified versions * Sales of modified/counterfeit products to legitimate distributors * Shipment interdiction While supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode) |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Grace-Advertisement |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html | https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf |
| external_references[3]['source_name'] | Grace-Advertisement | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html |
| x_mitre_detection | * Insecure third-party libraries could be detected by application vetting techniques. For example, Google's [App Security Improvement Program](https://developer.android.com/google/play/asi) detects the use of third-party libraries with known vulnerabilities within Android apps submitted to the Google Play Store. * Malicious software development tools could be detected by enterprises deploying integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools. | Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries. |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html', 'external_id': 'SPC-0'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html', 'external_id': 'SPC-1'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html', 'external_id': 'SPC-2'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html', 'external_id': 'SPC-3'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html', 'external_id': 'SPC-4'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html', 'external_id': 'SPC-5'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html', 'external_id': 'SPC-6'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html', 'external_id': 'SPC-7'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html', 'external_id': 'SPC-8'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html', 'external_id': 'SPC-9'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html', 'external_id': 'SPC-10'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html', 'external_id': 'SPC-11'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html', 'external_id': 'SPC-12'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html', 'external_id': 'SPC-13'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-14.html', 'external_id': 'SPC-14'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html', 'external_id': 'SPC-15'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html', 'external_id': 'SPC-16'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html', 'external_id': 'SPC-17'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html', 'external_id': 'SPC-18'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-19.html', 'external_id': 'SPC-19'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html', 'external_id': 'SPC-20'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html', 'external_id': 'SPC-21'} |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may utilize the camera to capture information ab | t | 1 | An adversary can leverage a device’s cameras to gather infor |
| > | out the user, their surroundings, or other physical identifi | > | mation by capturing video recordings. Images may also be cap | ||
| > | ers. Adversaries may use the physical camera devices on a mo | > | tured, potentially in specified intervals, in lieu of video | ||
| > | bile device to capture images or video. By default, in Andro | > | files. Malware or scripts may interact with the device | ||
| > | id and iOS, an application must request permission to access | > | cameras through an available API provided by the operating | ||
| > | a camera device which is granted by the user through a requ | > | system. Video or image files may be written to disk and exfi | ||
| > | est prompt. In Android, applications must hold the `android. | > | ltrated later. This technique differs from [Screen Capture]( | ||
| > | permission.CAMERA` permission to access the camera. In iOS, | > | https://attack.mitre.org/techniques/T1513) due to use of the | ||
| > | applications must include the `NSCameraUsageDescription` key | > | device’s cameras for video recording rather than capturing | ||
| > | in the `Info.plist` file, and must request access to the ca | > | the victim’s screen. In Android, an application must ho | ||
| > | mera at runtime. | > | ld the `android.permission.CAMERA` permission to access the | ||
| > | cameras. In iOS, applications must include the `NSCameraUsag | ||||
| > | eDescription` key in the `Info.plist` file. In both cases, t | ||||
| > | he user must grant permission to the requesting application | ||||
| > | to use the camera. If the device has been rooted or jailbrok | ||||
| > | en, an adversary may be able to access the camera without kn | ||||
| > | owledge of the user. | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-09-12 18:33:15.023000+00:00 | 2022-04-08 15:58:43.813000+00:00 |
| name | Capture Camera | Video Capture |
| description | Adversaries may utilize the camera to capture information about the user, their surroundings, or other physical identifiers. Adversaries may use the physical camera devices on a mobile device to capture images or video. By default, in Android and iOS, an application must request permission to access a camera device which is granted by the user through a request prompt. In Android, applications must hold the `android.permission.CAMERA` permission to access the camera. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file, and must request access to the camera at runtime. | An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files. Malware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device’s cameras for video recording rather than capturing the victim’s screen. In Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_detection | On Android and iOS, the user can view which applications have permission to use the camera through the device settings screen, and the user can choose to revoke the permissions. | The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. |
| x_mitre_version | 1.0 | 2.0 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | A malicious application can read notifications sent by the o | t | 1 | Adversaries may collect data within notifications sent by th |
| > | perating system or other applications, which may contain sen | > | e operating system or other applications. Notifications may | ||
| > | sitive data such as one-time authentication codes sent over | > | contain sensitive data such as one-time authentication codes | ||
| > | SMS, email, or other mediums. A malicious application can al | > | sent over SMS, email, or other mediums. In the case of Cred | ||
| > | so dismiss notifications to prevent the user from noticing t | > | ential Access, adversaries may attempt to intercept one-time | ||
| > | hat the notifications arrived and can trigger action buttons | > | code sent to the device. Adversaries can also dismiss notif | ||
| > | contained within notifications.(Citation: ESET 2FA Bypass) | > | ications to prevent the user from noticing that the notifica | ||
| > | tion has arrived and can trigger action buttons contained wi | ||||
| > | thin notifications.(Citation: ESET 2FA Bypass) | ||||
New Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Lukáš Štefanko, ESET'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-09 14:07:02.217000+00:00 | 2022-04-11 15:54:08.965000+00:00 |
| description | A malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) | Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_detection | The user can inspect (and modify) the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). | Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may communicate using a common, standardized app | t | 1 | Adversaries may communicate using application layer protocol |
| > | lication layer protocol such as HTTP, HTTPS, SMTP, or DNS to | > | s to avoid detection/network filtering by blending in with e | ||
| > | avoid detection by blending in with existing traffic. In t | > | xisting traffic. Commands to the mobile device, and often th | ||
| > | he mobile environment, the Google Cloud Messaging (GCM; two- | > | e results of those commands, will be embedded within the pro | ||
| > | way) and Apple Push Notification Service (APNS; one-way serv | > | tocol traffic between the mobile device and server. Advers | ||
| > | er-to-device) are commonly used protocols on Android and iOS | > | aries may utilize many different protocols, including those | ||
| > | respectively that would blend in with routine device traffi | > | used for web browsing, transferring files, electronic mail, | ||
| > | c and are difficult for enterprises to inspect. Google repor | > | or DNS. | ||
| > | tedly responds to reports of abuse by blocking access to GCM | ||||
| > | .(Citation: Kaspersky-MobileMalware) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1040 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 14:52:45.266000+00:00 | 2022-04-19 20:03:51.831000+00:00 |
| name | Standard Application Layer Protocol | Application Layer Protocol |
| description | Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. In the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.(Citation: Kaspersky-MobileMalware) | Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| kill_chain_phases | {'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'exfiltration'} | |
| external_references | {'source_name': 'Kaspersky-MobileMalware', 'description': 'Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.', 'url': 'https://securelist.com/mobile-malware-evolution-2013/58335/'} |
Current version: 3.1
Version changed from: 3.0 → 3.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An adversary may encrypt files stored on the mobile device t | t | 1 | An adversary may encrypt files stored on a mobile device to |
| > | o prevent the user from accessing them, for example with the | > | prevent the user from accessing them. This may be done in or | ||
| > | intent of only unlocking access to the files after a ransom | > | der to extract monetary compensation from a victim in exchan | ||
| > | is paid. Without escalated privileges, the adversary is gen | > | ge for decryption or a decryption key (ransomware) or to ren | ||
| > | erally limited to only encrypting files in external/shared s | > | der data permanently inaccessible in cases where the key is | ||
| > | torage locations. This technique has been demonstrated on An | > | not saved or transmitted. | ||
| > | droid. We are unaware of any demonstrated use on iOS. | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1074 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-01 13:51:22.001000+00:00 | 2022-04-06 13:31:22.485000+00:00 |
| description | An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS. | An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 3.0 | 3.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Sensitive data can be collected from local system sources, s | t | 1 | Adversaries may search local system sources, such as file sy |
| > | uch as the file system or databases of information residing | > | stems or local databases, to find files of interest and sens | ||
| > | on the system. Local system data includes information store | > | itive data prior to exfiltration. Access to local syst | ||
| > | d by the operating system. Access to local system data often | > | em data, which includes information stored by the operating | ||
| > | requires escalated privileges (e.g. root access). Examples | > | system, often requires escalated privileges. Examples of loc | ||
| > | of local system data include authentication tokens, the devi | > | al system data include authentication tokens, the device key | ||
| > | ce keyboard cache, Wi-Fi passwords, and photos. | > | board cache, Wi-Fi passwords, and photos. On Android, advers | ||
| > | aries may also attempt to access files from external storage | ||||
| > | which may require additional storage-related permissions. | ||||
| > | |||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-11 14:53:38.987000+00:00 | 2022-04-01 16:53:27.576000+00:00 |
| description | Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system. Local system data includes information stored by the operating system. Access to local system data often requires escalated privileges (e.g. root access). Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. | Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. Access to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html', 'external_id': 'STA-41'} |
Current version: 1.3
Version changed from: 1.2 → 1.3
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An app could download and execute dynamic code (not included | t | 1 | Adversaries may download and execute dynamic code not includ |
| > | in the original application package) after installation to | > | ed in the original application package after installation. T | ||
| > | evade static analysis techniques (and potentially dynamic an | > | his technique is primarily used to evade static analysis che | ||
| > | alysis techniques) used for application vetting or applicati | > | cks and pre-publication scans in official app stores. In som | ||
| > | on store review.(Citation: Poeplau-ExecuteThis) On Android, | > | e cases, more advanced dynamic or behavioral analysis techni | ||
| > | dynamic code could include native code, Dalvik code, or Jav | > | ques could detect this behavior. However, in conjunction wit | ||
| > | aScript code that uses the Android WebView's JavascriptInter | > | h [Execution Guardrails](https://attack.mitre.org/techniques | ||
| > | face capability.(Citation: Bromium-AndroidRCE) On iOS, tech | > | /T1627) techniques, detecting malicious code downloaded afte | ||
| > | niques also exist for executing dynamic code downloaded afte | > | r installation could be difficult. On Android, dynamic code | ||
| > | r application installation.(Citation: FireEye-JSPatch)(Citat | > | could include native code, Dalvik code, or JavaScript code | ||
| > | ion: Wang) | > | that utilizes Android WebView’s `JavascriptInterface` capabi | ||
| > | lity. On iOS, dynamic code could be downloaded and execute | ||||
| > | d through 3rd party libraries such as JSPatch. (Citation: Fi | ||||
| > | reEye-JSPatch) | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016. | |
| external_references | APP-20 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1010 | |
| external_references | APP-20 | |
| external_references | Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna. (2014, February). Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. Retrieved December 21, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-09 19:40:52.090000+00:00 | 2022-04-06 12:26:31.735000+00:00 |
| description | An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review.(Citation: Poeplau-ExecuteThis) On Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability.(Citation: Bromium-AndroidRCE) On iOS, techniques also exist for executing dynamic code downloaded after application installation.(Citation: FireEye-JSPatch)(Citation: Wang) | Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult. On Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s `JavascriptInterface` capability. On iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | FireEye-JSPatch |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html | https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html |
| external_references[2]['source_name'] | Poeplau-ExecuteThis | NIST Mobile Threat Catalogue |
| external_references[2]['url'] | https://www.internetsociety.org/sites/default/files/10_5_0.pdf | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html |
| x_mitre_detection | Downloading new code at runtime can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior. | Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and applications may employ other techniques to hide their use of these techniques. |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Bromium-AndroidRCE', 'description': 'Tom Sutcliffe. (2014, July 31). Remote code execution on Android devices. Retrieved December 9, 2016.', 'url': 'https://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/'} | |
| external_references | {'source_name': 'FireEye-JSPatch', 'description': 'Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.', 'url': 'https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html'} | |
| external_references | {'source_name': 'Wang', 'description': 'Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.', 'url': 'https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to exploit enterprise servers, works | t | 1 | Adversaries may exploit remote services of enterprise server |
| > | tations, or other resources over the network. This technique | > | s, workstations, or other resources to gain unauthorized acc | ||
| > | may take advantage of the mobile device's access to an inte | > | ess to internal systems once inside of a network. Adversarie | ||
| > | rnal enterprise network either through local connectivity or | > | s may exploit remote services by taking advantage of a mobil | ||
| > | through a Virtual Private Network (VPN). | > | e device’s access to an internal enterprise network through | ||
| > | local connectivity or through a Virtual Private Network (VPN | ||||
| > | ). Exploitation of a software vulnerability occurs when an a | ||||
| > | dversary takes advantage of a programming error in a program | ||||
| > | , service, or within the operating system software or kernel | ||||
| > | itself to execute adversary-controlled code. A common goal | ||||
| > | for post-compromise exploitation of remote services is for l | ||||
| > | ateral movement to enable access to a remote system. An ad | ||||
| > | versary may need to determine if the remote system is in a v | ||||
| > | ulnerable state, which may be done through [Network Service | ||||
| > | Scanning](https://attack.mitre.org/techniques/T1423) or othe | ||||
| > | r Discovery methods. These look for common, vulnerable softw | ||||
| > | are that may be deployed in the network, the lack of certain | ||||
| > | patches that may indicate vulnerabilities, or security soft | ||||
| > | ware that may be used to detect or contain remote exploitati | ||||
| > | on. Servers are likely a high value target for lateral movem | ||||
| > | ent exploitation, but endpoint systems may also be at risk i | ||||
| > | f they provide an advantage or access to additional resource | ||||
| > | s. Depending on the permissions level of the vulnerable rem | ||||
| > | ote service, an adversary may achieve [Exploitation for Priv | ||||
| > | ilege Escalation](https://attack.mitre.org/techniques/T1404) | ||||
| > | as a result of lateral movement exploitation as well. | ||||
New Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. Application vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1031 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-06 12:45:44.023000+00:00 |
| name | Exploit Enterprise Resources | Exploitation of Remote Services |
| description | Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN). | Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources. Depending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | On Android, command line tools or the Java file APIs can be | t | 1 | Adversaries may enumerate files and directories or search in |
| > | used to enumerate file system contents. However, Linux file | > | specific device locations for desired information within a | ||
| > | permissions and SELinux policies generally strongly restrict | > | filesystem. Adversaries may use the information from [File a | ||
| > | what can be accessed by apps (without taking advantage of a | > | nd Directory Discovery](https://attack.mitre.org/techniques/ | ||
| > | privilege escalation exploit). The contents of the external | > | T1420) during automated discovery to shape follow-on behavio | ||
| > | storage directory are generally visible, which could presen | > | rs, including deciding if the adversary should fully infect | ||
| > | t concern if sensitive data is inappropriately stored there. | > | the target and/or attempt specific actions. On Android, Li | ||
| > | iOS's security architecture generally restricts the abilit | > | nux file permissions and SELinux policies typically stringen | ||
| > | y to perform file and directory discovery without use of esc | > | tly restrict what can be accessed by apps without taking adv | ||
| > | alated privileges. | > | antage of a privilege escalation exploit. The contents of th | ||
| > | e external storage directory are generally visible, which co | ||||
| > | uld present concerns if sensitive data is inappropriately st | ||||
| > | ored there. iOS's security architecture generally restricts | ||||
| > | the ability to perform any type of [File and Directory Disco | ||||
| > | very](https://attack.mitre.org/techniques/T1420) without use | ||||
| > | of escalated privileges. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | On Android, users are presented with a permissions popup when an application requests access to external device storage. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1023 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-19 19:52:12.345000+00:00 |
| description | On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges. | Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. On Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html', 'external_id': 'STA-41'} | |
| x_mitre_platforms | iOS |
Current version: 2.2
Version changed from: 2.1 → 2.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may capture user input to obtain credentials or | t | 1 | Adversaries may use methods of capturing user input to obtai |
| > | other information from the user through various methods. Ma | > | n credentials or collect information. During normal device u | ||
| > | lware may masquerade as a legitimate third-party keyboard to | > | sage, users often provide credentials to various locations, | ||
| > | record user keystrokes.(Citation: Zeltser-Keyboard) On both | > | such as login pages/portals or system dialog boxes. Input ca | ||
| > | Android and iOS, users must explicitly authorize the use of | > | pture mechanisms may be transparent to the user (e.g. [Keylo | ||
| > | third-party keyboard apps. Users should be advised to use e | > | gging](https://attack.mitre.org/techniques/T1417/001)) or re | ||
| > | xtreme caution before granting this authorization when it is | > | ly on deceiving the user into providing input into what they | ||
| > | requested. On Android, malware may abuse accessibility fea | > | believe to be a genuine application prompt (e.g. [GUI Input | ||
| > | tures to record keystrokes by registering an `AccessibilityS | > | Capture](https://attack.mitre.org/techniques/T1417/002)). | ||
| > | ervice` class, overriding the `onAccessibilityEvent` method, | ||||
| > | and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CH | ||||
| > | ANGED` event type. The event object passed into the function | ||||
| > | will contain the data that the user typed. Additional meth | ||||
| > | ods of keylogging may be possible if root access is availabl | ||||
| > | e. | ||||
New Mitigations:
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | APP-31 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1020 | |
| external_references | Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-24 15:09:12.483000+00:00 | 2022-04-11 18:48:26.111000+00:00 |
| description | Adversaries may capture user input to obtain credentials or other information from the user through various methods. Malware may masquerade as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested. On Android, malware may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. Additional methods of keylogging may be possible if root access is available. | Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)). |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | Zeltser-Keyboard | NIST Mobile Threat Catalogue |
| external_references[1]['url'] | https://zeltser.com/third-party-keyboards-security/ | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html |
| x_mitre_detection | On Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions. | Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Users can view and manage installed third-party keyboards. |
| x_mitre_version | 2.1 | 2.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html', 'external_id': 'AUT-13'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An adversary could use a malicious or exploited application | t | 1 | Adversaries may track a device’s physical location through u |
| > | to surreptitiously track the device's physical location thro | > | se of standard operating system APIs via malicious or exploi | ||
| > | ugh use of standard operating system APIs. | > | ted applications on the compromised device. On Android, | ||
| > | applications holding the `ACCESS_COAURSE_LOCATION` or `ACCE | ||||
| > | SS_FINE_LOCATION` permissions provide access to the device’s | ||||
| > | physical location. On Android 10 and up, declaration of the | ||||
| > | `ACCESS_BACKGROUND_LOCATION` permission in an application’s | ||||
| > | manifest will allow applications to request location access | ||||
| > | even when the application is running in the background.(Cit | ||||
| > | ation: Android Request Location Permissions) Some adversarie | ||||
| > | s have utilized integration of Baidu map services to retriev | ||||
| > | e geographical location once the location access permissions | ||||
| > | had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: | ||||
| > | Palo Alto HenBox) On iOS, applications must include the | ||||
| > | `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAnd | ||||
| > | WhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDes | ||||
| > | cription` keys in their `Info.plist` file depending on the e | ||||
| > | xtent of requested access to location information.(Citation: | ||||
| > | Apple Requesting Authorization for Location Services) On iO | ||||
| > | S 8.0 and up, applications call `requestWhenInUseAuthorizati | ||||
| > | on()` to request access to location information when the app | ||||
| > | lication is in use or `requestAlwaysAuthorization()` to requ | ||||
| > | est access to location information regardless of whether the | ||||
| > | application is in use. With elevated privileges, an adversa | ||||
| > | ry may be able to access location data without explicit user | ||||
| > | consent with the `com.apple.locationd.preauthorized` entitl | ||||
| > | ement key.(Citation: Google Project Zero Insomnia) | ||||
New Mitigations:
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1033 | |
| external_references | APP-24 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-15 20:01:06.186000+00:00 | 2022-04-01 17:05:16.493000+00:00 |
| description | An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs. | Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. On Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device’s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application’s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) On iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia) |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Palo Alto HenBox |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html | https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/ |
| x_mitre_detection | On both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions. | Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. In both Android (6.0 and up) and iOS, users can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Android Request Location Permissions', 'description': 'Android Developers. (2022, March 24). Request Location Permissions. Retrieved April 1, 2022.', 'url': 'https://developer.android.com/training/location/permissions'} | |
| external_references | {'source_name': 'Apple Requesting Authorization for Location Services', 'description': 'Apple Developers. (n.d.). Requesting Authorization for Location Services. Retrieved April 1, 2022.', 'url': 'https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services'} | |
| external_references | {'source_name': 'Google Project Zero Insomnia', 'description': 'I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.', 'url': 'https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html'} | |
| external_references | {'source_name': 'PaloAlto-SpyDealer', 'description': 'Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.', 'url': 'https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/'} | |
| external_references | {'source_name': 'NIST Mobile Threat Catalogue', 'url': 'https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html', 'external_id': 'APP-24'} |
Current version: 1.2
Version changed from: 1.1 → 1.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An adversary with physical access to a mobile device may see | t | 1 | An adversary with physical access to a mobile device may see |
| > | k to bypass the device's lockscreen. ### Biometric Spoofing | > | k to bypass the device’s lockscreen. Several methods exist t | ||
| > | If biometric authentication is used, an adversary could att | > | o accomplish this, including: * Biometric spoofing: If biom | ||
| > | empt to spoof a mobile device's biometric authentication mec | > | etric authentication is used, an adversary could attempt to | ||
| > | hanism(Citation: SRLabs-Fingerprint)(Citation: SecureIDNews- | > | spoof a mobile device’s biometric authentication mechanism. | ||
| > | Spoof)(Citation: TheSun-FaceID). iOS partly mitigates this | > | Both iOS and Android partly mitigate this attack by requirin | ||
| > | attack by requiring the device passcode rather than a finger | > | g the device’s passcode rather than biometrics to unlock the | ||
| > | print to unlock the device after every device restart and af | > | device after every device restart, and after a set or rando | ||
| > | ter 48 hours since the device was last unlocked (Citation: A | > | m amount of time.(Citation: SRLabs-Fingerprint)(Citation: Th | ||
| > | pple-TouchID). Android has similar mitigations. ### Device | > | eSun-FaceID) * Unlock code bypass: An adversaries could atte | ||
| > | Unlock Code Guessing or Brute Force An adversary could attem | > | mpt to brute-force or otherwise guess the lockscreen passcod | ||
| > | pt to brute-force or otherwise guess the lockscreen passcode | > | e (typically a PIN or password), including physically observ | ||
| > | (typically a PIN or password), including physically observi | > | ing (“shoulder surfing”) the device owner’s use of the locks | ||
| > | ng ("shoulder surfing") the device owner's use of the locksc | > | creen passcode. Mobile OS vendors partly mitigate this by im | ||
| > | reen passcode. ### Exploit Other Device Lockscreen Vulnera | > | plementing incremental backoff timers after a set number of | ||
| > | bilities Techniques have periodically been demonstrated that | > | failed unlock attempts, as well as a configurable full devic | ||
| > | exploit vulnerabilities on Android (Citation: Wired-Android | > | e wipe after several failed unlock attempts. * Vulnerability | ||
| > | Bypass), iOS (Citation: Kaspersky-iOSBypass), or other mobil | > | exploit: Techniques have been periodically demonstrated tha | ||
| > | e devices to bypass the device lockscreen. The vulnerabiliti | > | t exploit mobile devices to bypass the lockscreen. The vulne | ||
| > | es are generally patched by the device/operating system vend | > | rabilities are generally patched by the device or OS vendor | ||
| > | or once they become aware of their existence. | > | once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kas | ||
| > | persky-iOSBypass) | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Users can see if someone is watching them type in their device passcode. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1064 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 17:08:07.111000+00:00 | 2022-04-19 15:36:12.312000+00:00 |
| description | An adversary with physical access to a mobile device may seek to bypass the device's lockscreen. ### Biometric Spoofing If biometric authentication is used, an adversary could attempt to spoof a mobile device's biometric authentication mechanism(Citation: SRLabs-Fingerprint)(Citation: SecureIDNews-Spoof)(Citation: TheSun-FaceID). iOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID). Android has similar mitigations. ### Device Unlock Code Guessing or Brute Force An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing ("shoulder surfing") the device owner's use of the lockscreen passcode. ### Exploit Other Device Lockscreen Vulnerabilities Techniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence. | An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including: * Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID) * Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts. * Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass) |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | SRLabs-Fingerprint | Wired-AndroidBypass |
| external_references[1]['description'] | SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016. | Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016. |
| external_references[1]['url'] | https://srlabs.de/bites/spoofing-fingerprints/ | https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/ |
| external_references[2]['source_name'] | SecureIDNews-Spoof | Kaspersky-iOSBypass |
| external_references[2]['description'] | Zack Martin. (2016, March 11). Another spoof of mobile biometrics. Retrieved September 18, 2018. | Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016. |
| external_references[2]['url'] | https://thehackernews.com/2016/05/android-kernal-exploit.htmlhttps://www.secureidnews.com/news-item/another-spoof-of-mobile-biometrics/ | https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/ |
| external_references[4]['source_name'] | Apple-TouchID | SRLabs-Fingerprint |
| external_references[4]['description'] | Apple. (2015, November 3). About Touch ID security on iPhone and iPad. Retrieved December 23, 2016. | SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016. |
| external_references[4]['url'] | https://support.apple.com/en-us/HT204587 | https://srlabs.de/bites/spoofing-fingerprints/ |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Wired-AndroidBypass', 'description': 'Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.', 'url': 'https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/'} | |
| external_references | {'source_name': 'Kaspersky-iOSBypass', 'description': 'Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.', 'url': 'https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/'} |
Current version: 1.2
Version changed from: 1.1 → 1.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An attacker could jam radio signals (e.g. Wi-Fi, cellular, G | t | 1 | Adversaries may perform Network Denial of Service (DoS) atta |
| > | PS) to prevent the mobile device from communicating. (Citati | > | cks to degrade or block the availability of targeted resourc | ||
| > | on: NIST-SP800187)(Citation: CNET-Celljammer)(Citation: NYTi | > | es to users. Network DoS can be performed by exhausting the | ||
| > | mes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arst | > | network bandwidth that services rely on, or by jamming the s | ||
| > | echnica-Celljam) | > | ignal going to or coming from devices. A Network DoS will | ||
| > | occur when an adversary is able to jam radio signals (e.g. W | ||||
| > | i-Fi, cellular, GPS) around a device to prevent it from comm | ||||
| > | unicating. For example, to jam cellular signal, an adversary | ||||
| > | may use a handheld signal jammer, which jam devices within | ||||
| > | the jammer’s operational range.(Citation: NIST-SP800187) U | ||||
| > | sage of cellular jamming has been documented in several arre | ||||
| > | sts reported in the news.(Citation: CNET-Celljammer)(Citatio | ||||
| > | n: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citatio | ||||
| > | n: Arstechnica-Celljam) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Unexpected loss of radio signal could indicate that a device is being actively jammed. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Chris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018. | |
| external_references | David Kravets. (2016, March 10). Man accused of jamming passengers’ cell phones on Chicago subway. Retrieved November 8, 2018. | |
| external_references | Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017. | |
| external_references | Matt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018. | |
| external_references | CEL-7 | |
| external_references | CEL-8 | |
| external_references | LPN-5 | |
| external_references | GPS-0 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1067 | |
| external_references | CEL-7 | |
| external_references | CEL-8 | |
| external_references | LPN-5 | |
| external_references | GPS-0 | |
| external_references | Chris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018. | |
| external_references | Matt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018. | |
| external_references | Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students’ cell phones. Retrieved November 8, 2018. | |
| external_references | David Kravets. (2016, March 10). Man accused of jamming passengers’ cell phones on Chicago subway. Retrieved November 8, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 14:15:21.946000+00:00 | 2022-04-06 13:26:42.303000+00:00 |
| name | Jamming or Denial of Service | Network Denial of Service |
| description | An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating. (Citation: NIST-SP800187)(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam) | Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. A Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer’s operational range.(Citation: NIST-SP800187) Usage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam) |
| kill_chain_phases[0]['phase_name'] | network-effects | impact |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | CNET-Celljammer |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html | https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/ |
| external_references[2]['source_name'] | NIST Mobile Threat Catalogue | Arstechnica-Celljam |
| external_references[2]['url'] | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html | https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/ |
| external_references[3]['source_name'] | NIST Mobile Threat Catalogue | NIST-SP800187 |
| external_references[3]['url'] | https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html | http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf |
| external_references[4]['source_name'] | NIST Mobile Threat Catalogue | NYTimes-Celljam |
| external_references[4]['url'] | https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html | https://www.nytimes.com/2007/11/04/technology/04jammer.html |
| external_references[5]['source_name'] | NIST-SP800187 | Digitaltrends-Celljam |
| external_references[5]['description'] | Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017. | Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students’ cell phones. Retrieved November 8, 2018. |
| external_references[5]['url'] | http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf | https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/ |
| external_references[6]['source_name'] | CNET-Celljammer | NIST Mobile Threat Catalogue |
| external_references[6]['url'] | https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/ | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html |
| external_references[7]['source_name'] | NYTimes-Celljam | NIST Mobile Threat Catalogue |
| external_references[7]['url'] | https://www.nytimes.com/2007/11/04/technology/04jammer.html | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html |
| external_references[8]['source_name'] | Digitaltrends-Celljam | NIST Mobile Threat Catalogue |
| external_references[8]['url'] | https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/ | https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html |
| external_references[9]['source_name'] | Arstechnica-Celljam | NIST Mobile Threat Catalogue |
| external_references[9]['url'] | https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/ | https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html |
| x_mitre_tactic_type[0] | Without Adversary Device Access | Post-Adversary Device Access |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1026 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-11 19:12:38.451000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use screen captures to collect information a | t | 1 | Adversaries may use screen capture to collect additional inf |
| > | bout applications running in the foreground, capture user da | > | ormation about a target device, such as applications running | ||
| > | ta, credentials, or other sensitive information. Application | > | in the foreground, user data, credentials, or other sensiti | ||
| > | s running in the background can capture screenshots or video | > | ve information. Applications running in the background can c | ||
| > | s of another application running in the foreground by using | > | apture screenshots or videos of another application running | ||
| > | the Android `MediaProjectionManager` (generally requires the | > | in the foreground by using the Android `MediaProjectionManag | ||
| > | device user to grant consent).(Citation: Fortinet screencap | > | er` (generally requires the device user to grant consent).(C | ||
| > | July 2019)(Citation: Android ScreenCap1 2019) Background ap | > | itation: Fortinet screencap July 2019)(Citation: Android Scr | ||
| > | plications can also use Android accessibility services to ca | > | eenCap1 2019) Background applications can also use Android a | ||
| > | pture screen contents being displayed by a foreground applic | > | ccessibility services to capture screen contents being displ | ||
| > | ation.(Citation: Lookout-Monokle) An adversary with root acc | > | ayed by a foreground application.(Citation: Lookout-Monokle) | ||
| > | ess or Android Debug Bridge (adb) access could call the Andr | > | An adversary with root access or Android Debug Bridge (adb) | ||
| > | oid `screencap` or `screenrecord` commands.(Citation: Androi | > | access could call the Android `screencap` or `screenrecord` | ||
| > | d ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015 | > | commands.(Citation: Android ScreenCap2 2019)(Citation: Tren | ||
| > | ) | > | d Micro ScreenCap July 2015) | ||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Android Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019. | |
| external_references | APP-40 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | APP-40 | |
| external_references | Zhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-24 15:03:25.857000+00:00 | 2022-04-01 13:31:00.559000+00:00 |
| description | Adversaries may use screen captures to collect information about applications running in the foreground, capture user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) | Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Android ScreenCap2 2019 |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html | https://developer.android.com/studio/command-line/adb |
| external_references[2]['source_name'] | Fortinet screencap July 2019 | Android ScreenCap1 2019 |
| external_references[2]['description'] | Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019. | Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019. |
| external_references[2]['url'] | https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html | https://developer.android.com/reference/android/media/projection/MediaProjectionManager |
| external_references[3]['source_name'] | Android ScreenCap1 2019 | Lookout-Monokle |
| external_references[3]['description'] | Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019. | Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. |
| external_references[3]['url'] | https://developer.android.com/reference/android/media/projection/MediaProjectionManager | https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf |
| external_references[4]['source_name'] | Lookout-Monokle | Fortinet screencap July 2019 |
| external_references[4]['description'] | Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. | Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019. |
| external_references[4]['url'] | https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf | https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html |
| external_references[5]['source_name'] | Android ScreenCap2 2019 | Trend Micro ScreenCap July 2015 |
| external_references[5]['description'] | Android Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019. | Zhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019. |
| external_references[5]['url'] | https://developer.android.com/studio/command-line/adb | https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/ |
| external_references[6]['source_name'] | Trend Micro ScreenCap July 2015 | NIST Mobile Threat Catalogue |
| external_references[6]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/ | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html |
| x_mitre_detection | The user can view a list of apps with accessibility service privileges in the device settings. | The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class. |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An adversary may attempt to get detailed information about t | t | 1 | Adversaries may attempt to get detailed information about a |
| > | he operating system and hardware, including version, patches | > | device’s operating system and hardware, including versions, | ||
| > | , and architecture. On Android, much of this information is | > | patches, and architecture. Adversaries may use the informati | ||
| > | programmatically accessible to applications through the and | > | on from [System Information Discovery](https://attack.mitre. | ||
| > | roid.os.Build class.(Citation: Android-Build) On iOS, techn | > | org/techniques/T1426) during automated discovery to shape fo | ||
| > | iques exist for applications to programmatically access this | > | llow-on behaviors, including whether or not to fully infects | ||
| > | information.(Citation: StackOverflow-iOSVersion) | > | the target and/or attempts specific actions. On Androi | ||
| > | d, much of this information is programmatically accessible t | ||||
| > | o applications through the `android.os.Build` class. (Citati | ||||
| > | on: Android-Build) iOS is much more restrictive with what in | ||||
| > | formation is visible to applications. Typically, application | ||||
| > | s will only be able to query the device model and which vers | ||||
| > | ion of iOS it is running. | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | APP-12 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1029 | |
| external_references | Stack Overflow. (n.d.). How can we programmatically detect which iOS version is device running on?. Retrieved December 21, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-11-20 19:56:49.109000+00:00 | 2022-04-11 19:21:34.776000+00:00 |
| description | An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture. On Android, much of this information is programmatically accessible to applications through the android.os.Build class.(Citation: Android-Build) On iOS, techniques exist for applications to programmatically access this information.(Citation: StackOverflow-iOSVersion) | Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. On Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[2]['source_name'] | StackOverflow-iOSVersion | NIST Mobile Threat Catalogue |
| external_references[2]['url'] | http://stackoverflow.com/questions/7848766/how-can-we-programmatically-detect-which-ios-version-is-device-running-on | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html |
| x_mitre_version | 1.1 | 1.2 |
Current version: 2.2
Version changed from: 2.1 → 2.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | On Android, details of onboard network interfaces are access | t | 1 | Adversaries may look for details about the network configura |
| > | ible to apps through the `java.net.NetworkInterface` class.( | > | tion and settings, such as IP and/or MAC addresses, of opera | ||
| > | Citation: NetworkInterface) The Android `TelephonyManager` c | > | ting systems they access or through information discovery of | ||
| > | lass can be used to gather related information such as the I | > | remote systems. On Android, details of onboard network | ||
| > | MSI, IMEI, and phone number.(Citation: TelephonyManager) On | > | interfaces are accessible to apps through the `java.net.Net | ||
| > | iOS, gathering network configuration information is not pos | > | workInterface` class.(Citation: NetworkInterface) Previously | ||
| > | sible without root access. | > | , the Android `TelephonyManager` class could be used to gath | ||
| > | er telephony-related device identifiers, information such as | ||||
| > | the IMSI, IMEI, and phone number. However, starting with An | ||||
| > | droid 10, only preloaded, carrier, the default SMS, or devic | ||||
| > | e and profile owner applications can access the telephony-re | ||||
| > | lated device identifiers.(Citation: TelephonyManager) O | ||||
| > | n iOS, gathering network configuration information is not po | ||||
| > | ssible without root access. Adversaries may use the inf | ||||
| > | ormation from [System Network Configuration Discovery](https | ||||
| > | ://attack.mitre.org/techniques/T1422) during automated disco | ||||
| > | very to shape follow-on behaviors, including determining cer | ||||
| > | tain access within the target network and what actions to do | ||||
| > | next. | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1025 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-02 14:35:01.479000+00:00 | 2022-03-30 21:04:12.723000+00:00 |
| description | On Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) The Android `TelephonyManager` class can be used to gather related information such as the IMSI, IMEI, and phone number.(Citation: TelephonyManager) On iOS, gathering network configuration information is not possible without root access. | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of operating systems they access or through information discovery of remote systems. On Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) On iOS, gathering network configuration information is not possible without root access. Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 2.1 | 2.2 |
Current version: 2.1
Version changed from: 2.0 → 2.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | On Android, applications can use standard APIs to gather a l | t | 1 | Adversaries may attempt to get a listing of network connecti |
| > | ist of network connections to and from the device. For examp | > | ons to or from the compromised device they are currently acc | ||
| > | le, the Network Connections app available in the Google Play | > | essing or from remote systems by querying for information ov | ||
| > | Store (Citation: ConnMonitor) advertises this functionality | > | er the network. This is typically accomplished by utili | ||
| > | . | > | zing device APIs to collect information about nearby network | ||
| > | s, such as Wi-Fi, Bluetooth, and cellular tower connections. | ||||
| > | On Android, this can be done by querying the respective API | ||||
| > | s: * `WifiInfo` for information about the current Wi-Fi | ||||
| > | connection, as well as nearby Wi-Fi networks. Querying the | ||||
| > | `WiFiInfo` API requires the application to hold the `ACCESS_ | ||||
| > | FINE_LOCATION` permission. * `BluetoothAdapter` for inform | ||||
| > | ation about Bluetooth devices, which also requires the appli | ||||
| > | cation to hold several permissions granted by the user at ru | ||||
| > | ntime. * For Android versions prior to Q, applications can | ||||
| > | use the `TelephonyManager.getNeighboringCellInfo()` method. | ||||
| > | For Q and later, applications can use the `TelephonyManager | ||||
| > | .getAllCellInfo()` method. Both methods require the applicat | ||||
| > | ion hold the `ACCESS_FINE_LOCATION` permission. | ||||
Dropped Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1024 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-01 19:34:17.460000+00:00 | 2022-03-31 16:31:12.821000+00:00 |
| description | On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality. | Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. This is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: * `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. * `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. * For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission. |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 2.0 | 2.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'ConnMonitor', 'description': 'Anti Spy Mobile. (2016, March 14). Network Connections. Retrieved December 21, 2016.', 'url': 'https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use an existing, legitimate external Web ser | t | 1 | Adversaries may use an existing, legitimate external Web ser |
| > | vice as a means for relaying commands to a compromised syste | > | vice as a means for relaying data to/from a compromised syst | ||
| > | m. These commands may also include pointers to command and | > | em. Popular websites and social media, acting as a mechanism | ||
| > | control (C2) infrastructure. Adversaries may post content, k | > | for C2, may give a significant amount of cover. This is due | ||
| > | nown as a dead drop resolver, on Web services with embedded | > | to the likelihood that hosts within a network are already c | ||
| > | (and often obfuscated/encoded) domains or IP addresses. Once | > | ommunicating with them prior to a compromise. Using common s | ||
| > | infected, victims will reach out to and be redirected by th | > | ervices, such as those offered by Google or Twitter, makes i | ||
| > | ese resolvers. Popular websites and social media acting as | > | t easier for adversaries to hide in expected noise. Web serv | ||
| > | a mechanism for C2 may give a significant amount of cover du | > | ice providers commonly use SSL/TLS encryption, giving advers | ||
| > | e to the likelihood that hosts within a network are already | > | aries an added level of protection. Use of Web services | ||
| > | communicating with them prior to a compromise. Using common | > | may also protect back-end C2 infrastructure from discovery | ||
| > | services, such as those offered by Google or Twitter, makes | > | through malware binary analysis, or enable operational resil | ||
| > | it easier for adversaries to hide in expected noise. Web ser | > | iency (since this infrastructure may be dynamically changed) | ||
| > | vice providers commonly use SSL/TLS encryption, giving adver | > | . | ||
| > | saries an added level of protection. Use of Web services ma | ||||
| > | y also protect back-end C2 infrastructure from discovery thr | ||||
| > | ough malware binary analysis while also enabling operational | ||||
| > | resiliency (since this infrastructure may be dynamically ch | ||||
| > | anged). | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-01 17:29:43.503000+00:00 | 2022-04-06 15:35:05.775000+00:00 |
| description | Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system. These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed). | Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.0
Description: An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.
This object has been revoked by [T1636.001] Calendar Entries
Description for [T1636.001] Calendar Entries: Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. If the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user’s knowledge or approval.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1038 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-01 12:50:48.453000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.1
Description: On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data. On iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.
This object has been revoked by [T1636.002] Call Log
Description for [T1636.002] Call Log: Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. If the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user’s knowledge or approval.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1036 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-09-18 18:17:43.466000+00:00 | 2022-04-01 13:14:43.174000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.0
Description: An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.
This object has been revoked by [T1636.003] Contact List
Description for [T1636.003] Contact List: Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. If the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user’s knowledge or approval.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1035 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-01 13:19:41.180000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 2.0
Description: An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. Further, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. In Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)
This object has been revoked by [T1624.001] Broadcast Receivers
Description for [T1624.001] Broadcast Receivers: Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. An intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. In addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. In Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Alex Hinchliffe, Palo Alto Networks'] | |
| x_mitre_old_attack_id | MOB-T1005 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-27 15:28:03.858000+00:00 | 2022-03-30 14:43:46.019000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.1
Description: A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication. On Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement. On iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.
This object has been revoked by [T1636.004] SMS Messages
Description for [T1636.004] SMS Messages: Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. If the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user’s knowledge or approval.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1015 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-09-18 18:28:50.898000+00:00 | 2022-04-01 13:27:29.880000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 2.0
Description: A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases. Performing SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread) Malicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread) On iOS, apps cannot send SMS messages. On Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).
This object has been revoked by [T1643] Generate Traffic from Victim
Description for [T1643] Generate Traffic from Victim: Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well. If done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1051 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-04 15:40:20.943000+00:00 | 2022-04-06 13:57:38.841000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.0
Description: Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)
Adversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.
[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)
This object has been revoked by [T1641.001] Transmitted Data Manipulation
Description for [T1641.001] Transmitted Data Manipulation: Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making. Manipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact. One method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10. Adversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control. [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-28 18:36:26.261000+00:00 | 2022-04-06 13:41:17.512000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | ESET Clipboard Modification February 2019 | Android 10 Privacy Changes |
| external_references[1]['description'] | ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019. | Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019. |
| external_references[1]['url'] | https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/ | https://developer.android.com/about/versions/10/privacy/changes#clipboard-data |
| external_references[2]['source_name'] | Welivesecurity Clipboard Modification February 2019 | Dr.Webb Clipboard Modification origin August 2018 |
| external_references[2]['description'] | Lukáš Štefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019. | Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019. |
| external_references[2]['url'] | https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/ | https://vms.drweb.com/virus/?i=17517750 |
| external_references[3]['source_name'] | Syracuse Clipboard Modification 2014 | Dr.Webb Clipboard Modification origin2 August 2018 |
| external_references[3]['description'] | Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019. | Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019. |
| external_references[3]['url'] | http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf | https://vms.drweb.com/virus/?i=17517761 |
| external_references[4]['source_name'] | Dr.Webb Clipboard Modification origin2 August 2018 | ESET Clipboard Modification February 2019 |
| external_references[4]['description'] | Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019. | ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019. |
| external_references[4]['url'] | https://vms.drweb.com/virus/?i=17517761 | https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/ |
| external_references[5]['source_name'] | Dr.Webb Clipboard Modification origin August 2018 | Welivesecurity Clipboard Modification February 2019 |
| external_references[5]['description'] | Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019. | Lukáš Štefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019. |
| external_references[5]['url'] | https://vms.drweb.com/virus/?i=17517750 | https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/ |
| external_references[6]['source_name'] | Android 10 Privacy Changes | Syracuse Clipboard Modification 2014 |
| external_references[6]['description'] | Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019. | Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019. |
| external_references[6]['url'] | https://developer.android.com/about/versions/10/privacy/changes#clipboard-data | http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf |
Current version: 1.0
Description: Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries. With root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application’s process.(Citation: Google Triada June 2019)
This object has been revoked by [T1631.001] Ptrace System Calls
Description for [T1631.001] Ptrace System Calls: Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) Ptrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 04:07:06.663000+00:00 | 2022-03-30 19:14:20.369000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | Shunix Code Injection Mar 2016 | Fadeev Code Injection Aug 2018 |
| external_references[1]['description'] | Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019. | Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019. |
| external_references[1]['url'] | https://shunix.com/shared-library-injection-in-android/ | https://fadeevab.com/shared-library-injection-on-android-8/ |
| external_references[2]['source_name'] | Fadeev Code Injection Aug 2018 | Google Triada June 2019 |
| external_references[2]['description'] | Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019. | Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019. |
| external_references[2]['url'] | https://fadeevab.com/shared-library-injection-on-android-8/ | https://security.googleblog.com/2019/06/pha-family-highlights-triada.html |
| external_references[3]['source_name'] | Google Triada June 2019 | Shunix Code Injection Mar 2016 |
| external_references[3]['description'] | Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019. | Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019. |
| external_references[3]['url'] | https://security.googleblog.com/2019/06/pha-family-highlights-triada.html | https://shunix.com/shared-library-injection-in-android/ |
Current version: 1.0
Description: Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java’s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken. If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.
This object has been revoked by [T1623.001] Unix Shell
Description for [T1623.001] Unix Shell: Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-12-17 17:31:52.802000+00:00 | 2022-03-30 14:00:45.099000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 2.1
Description: Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019) Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.
This object has been revoked by [T1630.002] File Deletion
Description for [T1630.002] File Deletion: Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1050 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-10-01 12:52:58.150000+00:00 | 2022-03-30 19:50:37.727000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 2.0
Description: Adversaries may request device administrator permissions to perform malicious actions. By abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device’s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo) Device administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.
This object has been revoked by [T1626.001] Device Administrator Permissions
Description for [T1626.001] Device Administrator Permissions: Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app. Device administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Google. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020. | |
| external_references | APP-22 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1004 | |
| external_references | APP-22 | |
| external_references | Google. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-11-24 13:40:08.343000+00:00 | 2022-04-01 16:52:36.965000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Android DeviceAdminInfo |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html | https://developer.android.com/reference/android/app/admin/DeviceAdminInfo |
| external_references[2]['source_name'] | Android DeviceAdminInfo | NIST Mobile Threat Catalogue |
| external_references[2]['url'] | https://developer.android.com/reference/android/app/admin/DeviceAdminInfo | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html |
Current version: 2.0
Description: An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment. On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword) On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)
This object has been revoked by [T1629.002] Device Lockout
Description for [T1629.002] Device Lockout: An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018) Prior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.(Citation: Android resetPassword)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016. | |
| external_references | APP-28 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1049 | |
| external_references | APP-28 | |
| external_references | Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-09 14:39:38.930000+00:00 | 2022-04-01 18:49:51.039000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Xiao-KeyRaider |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html | http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ |
| external_references[3]['source_name'] | Xiao-KeyRaider | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html |
Current version: 1.1
Description: An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).
This object has been revoked by [T1630.003] Disguise Root/Jailbreak Indicators
Description for [T1630.003] Disguise Root/Jailbreak Indicators: An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016. | |
| external_references | EMM-5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1011 | |
| external_references | EMM-5 | |
| external_references | Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 14:34:59.071000+00:00 | 2022-04-08 16:29:55.321000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Brodie |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html | https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf |
| external_references[2]['source_name'] | Brodie | Rastogi |
| external_references[2]['description'] | Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016. | Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016. |
| external_references[2]['url'] | https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf | http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf |
| external_references[4]['source_name'] | Rastogi | NIST Mobile Threat Catalogue |
| external_references[4]['url'] | http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf | https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html |
Current version: 1.0
Description: Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018) DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.
This object has been revoked by [T1637.001] Domain Generation Algorithms
Description for [T1637.001] Domain Generation Algorithms: Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018) DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-09-23 14:53:42.654000+00:00 | 2022-04-05 20:03:46.788000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | securelist rotexy 2018 | Data Driven Security DGA |
| external_references[1]['description'] | T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. | Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019. |
| external_references[1]['url'] | https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/ | https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/ |
| external_references[2]['source_name'] | Data Driven Security DGA | securelist rotexy 2018 |
| external_references[2]['description'] | Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019. | T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. |
| external_references[2]['url'] | https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/ | https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/ |
Current version: 1.1
Description: An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.
This object has been revoked by [T1638] Adversary-in-the-Middle
Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017. | |
| external_references | CEL-3 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1069 | |
| external_references | CEL-3 | |
| external_references | Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 15:16:13.386000+00:00 | 2022-04-06 15:50:42.480000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | NIST-SP800187 |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html | http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf |
| external_references[2]['source_name'] | NIST-SP800187 | NIST Mobile Threat Catalogue |
| external_references[2]['url'] | http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html |
Current version: 1.1
Description: If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)
This object has been revoked by [T1638] Adversary-in-the-Middle
Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016. | |
| external_references | APP-1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1042 | |
| external_references | APP-0 | |
| external_references | D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 14:54:29.631000+00:00 | 2022-04-05 20:17:46.147000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | mHealth |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html | https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps |
| external_references[2]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html |
| external_references[2]['external_id'] | APP-1 | APP-0 |
| external_references[3]['source_name'] | mHealth | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html |
Current version: 1.0
Description: Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. Adversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)
This object has been revoked by [T1633.001] System Checks
Description for [T1633.001] System Checks: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Hardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-11 14:48:50.525000+00:00 | 2022-03-30 17:54:56.590000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | Talos Gustuff Apr 2019 | Sophos Anti-emulation |
| external_references[1]['description'] | Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. | Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019. |
| external_references[1]['url'] | https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html | https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/ |
| external_references[2]['source_name'] | ThreatFabric Cerberus | Xiao-ZergHelper |
| external_references[2]['description'] | ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019. | Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016. |
| external_references[2]['url'] | https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html | http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/ |
| external_references[3]['source_name'] | Xiao-ZergHelper | Cyberscoop Evade Analysis January 2019 |
| external_references[3]['description'] | Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016. | Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019. |
| external_references[3]['url'] | http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/ | https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/ |
| external_references[4]['source_name'] | Cyberscoop Evade Analysis January 2019 | ThreatFabric Cerberus |
| external_references[4]['description'] | Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019. | ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019. |
| external_references[4]['url'] | https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/ | https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html |
| external_references[6]['source_name'] | Sophos Anti-emulation | Talos Gustuff Apr 2019 |
| external_references[6]['description'] | Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019. | Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. |
| external_references[6]['url'] | https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/ | https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html |
Current version: 2.0
Description: Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
This object has been revoked by [T1644] Out of Band Data
Description for [T1644] Out of Band Data: Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. On Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. On iOS, there is no way to programmatically read push notifications.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | Exfiltration over other network mediums can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1041 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-18 19:46:02.529000+00:00 |
| name | Alternate Network Mediums | Exfiltration Over Other Network Medium |
| description | Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems. | Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| kill_chain_phases | {'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'exfiltration'} |
Current version: 1.1
Description: An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)
This object has been revoked by [T1430.002] Impersonate SS7 Nodes
Description for [T1430.002] Impersonate SS7 Nodes: Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) By providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | 3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016. | |
| external_references | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html | |
| external_references | CEL-38 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1053 | |
| external_references | CEL-38 | |
| external_references | https://www.youtube.com/watch?v=q0n5ySqbfdI | |
| external_references | CSRIC-WG1-FinalReport |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 15:06:10.014000+00:00 | 2022-04-05 19:54:12.657000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | 3GPP-Security |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html | http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf |
| external_references[2]['source_name'] | Engel-SS7 | CSRIC5-WG10-FinalReport |
| external_references[2]['description'] | Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016. | Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017. |
| external_references[2]['url'] | https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf | https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf |
| external_references[3]['source_name'] | Engel-SS7-2008 | CSRIC-WG1-FinalReport |
| external_references[3]['description'] | Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016. | CSRIC-WG1-FinalReport |
| external_references[4]['source_name'] | 3GPP-Security | Positive-SS7 |
| external_references[4]['description'] | 3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016. | Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016. |
| external_references[4]['url'] | http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf | https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf |
| external_references[5]['source_name'] | Positive-SS7 | Engel-SS7-2008 |
| external_references[5]['description'] | Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016. | Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016. |
| external_references[5]['url'] | https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf | https://www.youtube.com/watch?v=q0n5ySqbfdI |
| external_references[6]['source_name'] | CSRIC5-WG10-FinalReport | Engel-SS7 |
| external_references[6]['description'] | Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017. | Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016. |
| external_references[6]['url'] | https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf | https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf |
| external_references[7]['source_name'] | CSRIC-WG1-FinalReport | NIST Mobile Threat Catalogue |
Current version: 1.0
Description: An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.
This object has been revoked by [T1643] Generate Traffic from Victim
Description for [T1643] Generate Traffic from Victim: Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well. If done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1075 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-07-03 20:21:22.168000+00:00 | 2022-04-06 13:57:49.177000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.0
Description: Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv) [Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. One method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include “Allow only while using the app”, which will effectively prohibit background location collection.(Citation: Android Geofencing API) Similarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services) [Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.
This object has been revoked by [T1627.001] Geofencing
Description for [T1627.001] Geofencing: Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv) [Geofencing](https://attack.mitre.org/techniques/T1627/001) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. One method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1627/001) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include "Allow only while using the app", which will effectively prohibit background location collection. Similarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground. [Geofencing](https://attack.mitre.org/techniques/T1627/001) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-10-01 12:43:41.494000+00:00 | 2022-03-30 20:43:31.244000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[2]['source_name'] | Android Geofencing API | Apple Location Services |
| external_references[2]['description'] | Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020. | Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020. |
| external_references[2]['url'] | https://developer.android.com/training/location/geofencing | https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services |
| external_references[3]['source_name'] | Apple Location Services | Android Geofencing API |
| external_references[3]['description'] | Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020. | Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020. |
| external_references[3]['url'] | https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services | https://developer.android.com/training/location/geofencing |
Current version: 2.1
Description: The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information. Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices) Specific approaches to this technique include: ### Impersonate the identity of a legitimate application A malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance) ### Display a prompt on top of a running legitimate application A malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include: * A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background) * A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles) ### Fake device notifications A malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)
This object has been revoked by [T1417.002] GUI Input Capture
Description for [T1417.002] GUI Input Capture: Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices) There are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) Additionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include: * Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background) * Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016. | |
| external_references | APP-31 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1014 | |
| external_references | APP-31 | |
| external_references | Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-24 15:04:20.321000+00:00 | 2022-04-05 19:52:32.190000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Felt-PhishingOnMobileDevices |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html | http://w2spconf.com/2011/papers/felt-mobilephishing.pdf |
| external_references[2]['source_name'] | Felt-PhishingOnMobileDevices | Android Background |
| external_references[2]['description'] | A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016. | Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019. |
| external_references[2]['url'] | http://w2spconf.com/2011/papers/felt-mobilephishing.pdf | https://developer.android.com/guide/components/activities/background-starts |
| external_references[3]['source_name'] | eset-finance | Android-getRunningTasks |
| external_references[3]['description'] | Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018. | Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017. |
| external_references[3]['url'] | https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/ | https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29 |
| external_references[4]['source_name'] | Android-getRunningTasks | Cloak and Dagger |
| external_references[4]['description'] | Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017. | Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019. |
| external_references[4]['url'] | https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29 | http://cloak-and-dagger.org/ |
| external_references[5]['source_name'] | StackOverflow-getRunningAppProcesses | Group IB Gustuff Mar 2019 |
| external_references[5]['description'] | Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017. | Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019. |
| external_references[5]['url'] | http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag | https://www.group-ib.com/blog/gustuff |
| external_references[6]['source_name'] | ThreatFabric Cerberus | eset-finance |
| external_references[6]['description'] | ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019. | Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018. |
| external_references[6]['url'] | https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html | https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/ |
| external_references[8]['source_name'] | Android Background | XDA Bubbles |
| external_references[8]['description'] | Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019. | Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019. |
| external_references[8]['url'] | https://developer.android.com/guide/components/activities/background-starts | https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/ |
| external_references[9]['source_name'] | Cloak and Dagger | NowSecure Android Overlay |
| external_references[9]['description'] | Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019. | Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019. |
| external_references[9]['url'] | http://cloak-and-dagger.org/ | https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/ |
| external_references[10]['source_name'] | NowSecure Android Overlay | ThreatFabric Cerberus |
| external_references[10]['description'] | Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019. | ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019. |
| external_references[10]['url'] | https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/ | https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html |
| external_references[11]['source_name'] | Skycure-Accessibility | StackOverflow-getRunningAppProcesses |
| external_references[11]['description'] | Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016. | Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017. |
| external_references[11]['url'] | https://www.skycure.com/blog/accessibility-clickjacking/ | http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag |
| external_references[12]['source_name'] | XDA Bubbles | Skycure-Accessibility |
| external_references[12]['description'] | Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019. | Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016. |
| external_references[12]['url'] | https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/ | https://www.skycure.com/blog/accessibility-clickjacking/ |
| external_references[13]['source_name'] | Group IB Gustuff Mar 2019 | NIST Mobile Threat Catalogue |
| external_references[13]['url'] | https://www.group-ib.com/blog/gustuff | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html |
Current version: 1.0
Description: An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile). For example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)). On iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).
This object has been revoked by [T1632.001] Code Signing Policy Modification
Description for [T1632.001] Code Signing Policy Modification: Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. Mobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Warren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018. | |
| external_references | STA-7 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1081 | |
| external_references | STA-7 | |
| external_references | Warren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2021-11-01 18:29:08.293000+00:00 | 2022-03-30 18:18:15.903000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Talos-MDM |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html | https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html |
| external_references[3]['source_name'] | Talos-MDM | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html | https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html |
Current version: 1.0
Description: Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)
This object has been revoked by [T1634.001] Keychain
Description for [T1634.001] Keychain: Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020. | |
| external_references | AUT-11 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | AUT-11 | |
| external_references | V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-24 19:02:46.237000+00:00 | 2022-04-01 15:02:43.470000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Apple Keychain Services |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html | https://developer.apple.com/documentation/security/keychain_services |
| external_references[2]['source_name'] | Apple Keychain Services | Elcomsoft Decrypt Keychain |
| external_references[2]['description'] | Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020. | V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020. |
| external_references[2]['url'] | https://developer.apple.com/documentation/security/keychain_services | https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/ |
| external_references[3]['source_name'] | Elcomsoft Decrypt Keychain | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/ | https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html |
Current version: 1.0
Description: An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).
This object has been revoked by [T1643] Generate Traffic from Victim
Description for [T1643] Generate Traffic from Victim: Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well. If done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1055 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-07-03 20:25:59.845000+00:00 | 2022-04-06 13:57:24.726000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.1
Description: If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).
This object has been revoked by [T1638] Adversary-in-the-Middle
Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016. | |
| external_references | APP-1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1066 | |
| external_references | APP-1 | |
| external_references | Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2021-07-28 18:45:08.382000+00:00 | 2022-04-06 15:44:48.421000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | FireEye-SSL |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html | https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html |
| external_references[2]['source_name'] | FireEye-SSL | NIST Mobile Threat Catalogue |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html |
Current version: 1.2
Description: If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user. Many Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.
This object has been revoked by [T1625.001] System Runtime API Hijacking
Description for [T1625.001] System Runtime API Hijacking: Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Android. (n.d.). Verified Boot. Retrieved December 21, 2016. | |
| external_references | APP-27 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1003 | |
| external_references | APP-27 | |
| external_references | Apple. (2016, May). iOS Security. Retrieved December 21, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-09-04 13:35:57.549000+00:00 | 2022-03-30 15:18:21.242000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Android-VerifiedBoot |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html | https://source.android.com/security/verifiedboot/ |
| external_references[2]['source_name'] | Android-VerifiedBoot | Apple-iOSSecurityGuide |
| external_references[2]['description'] | Android. (n.d.). Verified Boot. Retrieved December 21, 2016. | Apple. (2016, May). iOS Security. Retrieved December 21, 2016. |
| external_references[2]['url'] | https://source.android.com/security/verifiedboot/ | https://www.apple.com/business/docs/iOS_Security_Guide.pdf |
| external_references[3]['source_name'] | Apple-iOSSecurityGuide | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://www.apple.com/business/docs/iOS_Security_Guide.pdf | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html |
Current version: 1.0
Description: Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.
This object has been revoked by [T1421] System Network Connections Discovery
Description for [T1421] System Network Connections Discovery: Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. This is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: * `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. * `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. * For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-07-10 15:18:16.753000+00:00 | 2022-03-31 16:33:55.068000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.0
Description: An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same. A malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple. Alternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic. An adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile. If applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.
This object has been revoked by [T1638] Adversary-in-the-Middle
Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1013 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-15 17:52:24.123000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.1
Description: An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)
This object has been revoked by [T1430.001] Remote Device Management Services
Description for [T1430.001] Remote Device Management Services: An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018. | |
| external_references | EMM-7 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1071 | |
| external_references | ECO-5 | |
| external_references | Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 14:16:59.424000+00:00 | 2022-04-05 19:40:25.068000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Krebs-Location |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html | https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/ |
| external_references[2]['url'] | https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html |
| external_references[2]['external_id'] | EMM-7 | ECO-5 |
| external_references[3]['source_name'] | Krebs-Location | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/ | https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html |
Current version: 1.1
Description: An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).
This object has been revoked by [T1638] Adversary-in-the-Middle
Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016. | |
| external_references | CEL-7 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1070 | |
| external_references | CEL-7 | |
| external_references | Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 15:17:11.346000+00:00 | 2022-04-06 15:52:41.578000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Computerworld-Femtocell |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html | http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html |
| external_references[2]['source_name'] | Computerworld-Femtocell | NIST Mobile Threat Catalogue |
| external_references[2]['url'] | http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html |
Current version: 1.1
Description: An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).
This object has been revoked by [T1638] Adversary-in-the-Middle
Description for [T1638] Adversary-in-the-Middle: Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016. | |
| external_references | LPN-0 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1068 | |
| external_references | LPN-0 | |
| external_references | Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 15:15:18.023000+00:00 | 2022-04-06 15:51:11.938000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Kaspersky-DarkHotel |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html | https://blog.kaspersky.com/darkhotel-apt/6613/ |
| external_references[3]['source_name'] | Kaspersky-DarkHotel | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://blog.kaspersky.com/darkhotel-apt/6613/ | https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html |
Current version: 1.1
Description: A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. This behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)
This object has been revoked by [T1628.001] Suppress Application Icon
Description for [T1628.001] Suppress Application Icon: A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. This behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) Beginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Emily Ratliff, IBM'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-11-14 18:03:26.460000+00:00 | 2022-03-30 20:07:33.279000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | android-trojan-steals-paypal-2fa | sunny-stolen-credentials |
| external_references[1]['description'] | Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019. | Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019. |
| external_references[1]['url'] | https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/ | https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/ |
| external_references[2]['source_name'] | sunny-stolen-credentials | android-trojan-steals-paypal-2fa |
| external_references[2]['description'] | Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019. | Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019. |
| external_references[2]['url'] | https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/ | https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/ |
Current version: 2.0
Description: Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)
This object has been revoked by [T1635.001] URI Hijacking
Description for [T1635.001] URI Hijacking: Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Leo Zhang, Trend Micro', 'Steven Du, Trend Micro'] | |
| x_mitre_old_attack_id | MOB-T1019 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-10-01 12:42:21.628000+00:00 | 2022-04-01 15:17:21.508000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.0
Description: Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: * Abusing device owner permissions to perform silent uninstallation using device owner API calls. * Abusing root permissions to delete files from the filesystem. * Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.
This object has been revoked by [T1630.001] Uninstall Malicious Application
Description for [T1630.001] Uninstall Malicious Application: Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: * Abusing device owner permissions to perform silent uninstallation using device owner API calls. * Abusing root permissions to delete files from the filesystem. * Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-26 18:05:37.393000+00:00 | 2022-03-30 19:34:09.371000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.0
Description: Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.
This object has been revoked by [T1628.002] User Evasion
Description for [T1628.002] User Evasion: Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2021-10-12 18:13:25.586000+00:00 | 2022-04-11 20:06:56.032000+00:00 |
| revoked | False | True |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.0
Description: On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1016 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-06 15:37:34.463000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.1
Description: With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016. | |
| external_references | PHY-2 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1030 | |
| external_references | PHY-2 | |
| external_references | Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 14:51:19.932000+00:00 | 2022-04-06 15:39:14.695000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | ArsTechnica-PoisonTap |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html | http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/ |
| external_references[3]['source_name'] | ArsTechnica-PoisonTap | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/ | https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html |
Current version: 1.0
Description: Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as * TCP:80 (HTTP) * TCP:443 (HTTPS) * TCP:25 (SMTP) * TCP/UDP:53 (DNS) They may use the protocol associated with the port or a completely different protocol.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1039 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-06-19 19:25:33.180000+00:00 | 2022-04-06 15:40:47.556000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.1
Description: Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices. App stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses: * [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407) * [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406) Adversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang) Adversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer) Adversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016. | |
| external_references | Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016. | |
| external_references | Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016. | |
| external_references | Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016. | |
| external_references | Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016. | |
| external_references | Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016. | |
| external_references | ECO-4 | |
| external_references | ECO-16 | |
| external_references | ECO-17 | |
| external_references | APP-20 | |
| external_references | APP-21 | |
| external_references | ECO-22 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1078 | |
| external_references | ECO-4 | |
| external_references | ECO-16 | |
| external_references | ECO-17 | |
| external_references | APP-20 | |
| external_references | APP-21 | |
| external_references | ECO-22 | |
| external_references | Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016. | |
| external_references | Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016. | |
| external_references | Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016. | |
| external_references | Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016. | |
| external_references | Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016. | |
| external_references | Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-14 17:42:49.817000+00:00 | 2022-04-06 15:41:33.827000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Oberheide-Bouncer |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html | https://jon.oberheide.org/files/summercon12-bouncer.pdf |
| external_references[2]['source_name'] | NIST Mobile Threat Catalogue | Oberheide-RemoteInstall |
| external_references[2]['url'] | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html | https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/ |
| external_references[3]['source_name'] | NIST Mobile Threat Catalogue | Percoco-Bouncer |
| external_references[3]['url'] | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html | https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf |
| external_references[4]['source_name'] | NIST Mobile Threat Catalogue | Konoth |
| external_references[4]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html | http://www.vvdveen.com/publications/BAndroid.pdf |
| external_references[5]['source_name'] | NIST Mobile Threat Catalogue | Petsas |
| external_references[5]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html | http://dl.acm.org/citation.cfm?id=2592796 |
| external_references[6]['source_name'] | NIST Mobile Threat Catalogue | Wang |
| external_references[6]['url'] | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html | https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei |
| external_references[7]['source_name'] | Petsas | NIST Mobile Threat Catalogue |
| external_references[7]['url'] | http://dl.acm.org/citation.cfm?id=2592796 | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html |
| external_references[8]['source_name'] | Oberheide-Bouncer | NIST Mobile Threat Catalogue |
| external_references[8]['url'] | https://jon.oberheide.org/files/summercon12-bouncer.pdf | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html |
| external_references[9]['source_name'] | Percoco-Bouncer | NIST Mobile Threat Catalogue |
| external_references[9]['url'] | https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html |
| external_references[10]['source_name'] | Wang | NIST Mobile Threat Catalogue |
| external_references[10]['url'] | https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html |
| external_references[11]['source_name'] | Oberheide-RemoteInstall | NIST Mobile Threat Catalogue |
| external_references[11]['url'] | https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/ | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html |
| external_references[12]['source_name'] | Konoth | NIST Mobile Threat Catalogue |
| external_references[12]['url'] | http://www.vvdveen.com/publications/BAndroid.pdf | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html |
Current version: 1.2
Description: Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working. Delivery methods for the malicious application include: * [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message. * [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means. * Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird) Some Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018. | |
| external_references | Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018. | |
| external_references | Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019. | |
| external_references | AUT-9 | |
| external_references | ECO-13 | |
| external_references | ECO-21 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1079 | |
| external_references | AUT-9 | |
| external_references | ECO-13 | |
| external_references | ECO-21 | |
| external_references | Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018. | |
| external_references | Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018. | |
| external_references | Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2021-02-09 14:28:47.076000+00:00 | 2022-04-06 15:41:16.863000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | IBTimes-ThirdParty |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html | https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861 |
| external_references[2]['source_name'] | NIST Mobile Threat Catalogue | TrendMicro-RootingMalware |
| external_references[2]['url'] | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html | https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/ |
| external_references[3]['source_name'] | NIST Mobile Threat Catalogue | android-trojan-steals-paypal-2fa |
| external_references[3]['url'] | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html | https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/ |
| external_references[4]['source_name'] | IBTimes-ThirdParty | TrendMicro-FlappyBird |
| external_references[4]['description'] | A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018. | Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018. |
| external_references[4]['url'] | https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861 | https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/ |
| external_references[5]['source_name'] | TrendMicro-RootingMalware | NIST Mobile Threat Catalogue |
| external_references[5]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/ | https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html |
| external_references[6]['source_name'] | TrendMicro-FlappyBird | NIST Mobile Threat Catalogue |
| external_references[6]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/ | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html |
| external_references[7]['source_name'] | android-trojan-steals-paypal-2fa | NIST Mobile Threat Catalogue |
| external_references[7]['url'] | https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/ | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html |
Current version: 1.2
Description: An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | 3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016. | |
| external_references | CEL-37 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1052 | |
| external_references | CEL-37 | |
| external_references | Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2021-07-28 18:43:50.490000+00:00 | 2022-04-06 15:53:27.032000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | 3GPP-Security |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html | http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf |
| external_references[2]['source_name'] | Engel-SS7 | CSRIC5-WG10-FinalReport |
| external_references[2]['description'] | Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016. | Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017. |
| external_references[2]['url'] | https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf | https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf |
| external_references[3]['source_name'] | Engel-SS7-2008 | TheRegister-SS7 |
| external_references[3]['description'] | Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016. | Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018. |
| external_references[3]['url'] | https://www.youtube.com/watch?v=q0n5ySqbfdI | https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/ |
| external_references[4]['source_name'] | 3GPP-Security | Positive-SS7 |
| external_references[4]['description'] | 3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016. | Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016. |
| external_references[4]['url'] | http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf | https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf |
| external_references[5]['source_name'] | Positive-SS7 | Engel-SS7-2008 |
| external_references[5]['description'] | Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016. | Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016. |
| external_references[5]['url'] | https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf | https://www.youtube.com/watch?v=q0n5ySqbfdI |
| external_references[6]['source_name'] | CSRIC5-WG10-FinalReport | Engel-SS7 |
| external_references[6]['description'] | Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017. | Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016. |
| external_references[6]['url'] | https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf | https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf |
| external_references[7]['source_name'] | TheRegister-SS7 | NIST Mobile Threat Catalogue |
| external_references[7]['url'] | https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/ | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html |
Current version: 1.0
Description: A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016. | |
| external_references | APP-27 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1008 | |
| external_references | APP-27 | |
| external_references | laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-06 15:41:57.666000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | EkbergTEE |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html | https://usmile.at/symposium/program/2015/ekberg |
| external_references[4]['source_name'] | EkbergTEE | laginimaineb-TEE |
| external_references[4]['description'] | Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016. | laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016. |
| external_references[4]['url'] | https://usmile.at/symposium/program/2015/ekberg | http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html |
| external_references[5]['source_name'] | laginimaineb-TEE | NIST Mobile Threat Catalogue |
| external_references[5]['url'] | http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html |
Current version: 1.1
Description: The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces. ### Baseband Vulnerability Exploitation A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband). ### Malicious SMS Message An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1080 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 15:19:22.439000+00:00 | 2022-04-06 15:42:13.444000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | ProjectZero-BroadcomWiFi | Forbes-iPhoneSMS |
| external_references[1]['description'] | Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018. | Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016. |
| external_references[1]['url'] | https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html | http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html |
| external_references[3]['source_name'] | Weinmann-Baseband | ProjectZero-BroadcomWiFi |
| external_references[3]['description'] | R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016. | Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018. |
| external_references[3]['url'] | https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf | https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html |
| external_references[4]['source_name'] | Forbes-iPhoneSMS | Weinmann-Baseband |
| external_references[4]['description'] | Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016. | R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016. |
| external_references[4]['url'] | http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html | https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf |
Current version: 2.1
Description: An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application. Embedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method. Pretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox) Malicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. | |
| external_references | Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016. | |
| external_references | APP-31 | |
| external_references | APP-14 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1047 | |
| external_references | APP-31 | |
| external_references | APP-14 | |
| external_references | Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016. | |
| external_references | A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-04-08 15:19:56.147000+00:00 | 2022-04-06 15:45:52.558000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Palo Alto HenBox |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html | https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/ |
| external_references[2]['source_name'] | NIST Mobile Threat Catalogue | Zhou |
| external_references[2]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html | http://ieeexplore.ieee.org/document/6234407 |
| external_references[3]['source_name'] | Zhou | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | http://ieeexplore.ieee.org/document/6234407 | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html |
| external_references[4]['source_name'] | Palo Alto HenBox | NIST Mobile Threat Catalogue |
| external_references[4]['url'] | https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/ | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html |
Current version: 1.1
Description: ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1006 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-09 19:39:32.872000+00:00 | 2022-04-06 15:46:29.338000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
Current version: 1.1
Description: If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Apple. (2016, May). iOS Security. Retrieved December 21, 2016. | |
| external_references | APP-27 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1002 | |
| external_references | APP-27 | |
| external_references | Apple. (2016, May). iOS Security. Retrieved December 21, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 14:23:10.576000+00:00 | 2022-04-06 15:48:41.647000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Apple-iOSSecurityGuide |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html | https://www.apple.com/business/docs/iOS_Security_Guide.pdf |
| external_references[3]['source_name'] | Apple-iOSSecurityGuide | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://www.apple.com/business/docs/iOS_Security_Guide.pdf | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html |
Current version: 1.0
Description: An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016. | |
| external_references | Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018. | |
| external_references | ECO-0 | |
| external_references | ECO-1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1073 | |
| external_references | ECO-0 | |
| external_references | ECO-1 | |
| external_references | Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016. | |
| external_references | Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-06 15:54:11.189000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Elcomsoft-EPPB |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html | https://www.elcomsoft.com/eppb.html |
| external_references[2]['source_name'] | NIST Mobile Threat Catalogue | Elcomsoft-WhatsApp |
| external_references[2]['url'] | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html | https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/ |
| external_references[3]['source_name'] | Elcomsoft-EPPB | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://www.elcomsoft.com/eppb.html | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html |
| external_references[4]['source_name'] | Elcomsoft-WhatsApp | NIST Mobile Threat Catalogue |
| external_references[4]['url'] | https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/ | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html |
Current version: 1.0
Description: An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_is_subtechnique | False | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016. | |
| external_references | EMM-7 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1072 | |
| external_references | ECO-5 | |
| external_references | Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-06 15:54:28.187000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Honan-Hacking |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html | https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ |
| external_references[2]['url'] | https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html | https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html |
| external_references[2]['external_id'] | EMM-7 | ECO-5 |
| external_references[3]['source_name'] | Honan-Hacking | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ | https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html |
Current version: 1.2
Description: An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswap2) The adversary could then obtain SMS messages or hijack phone calls intended for someone else.(Citation: Betanews-Simswap) One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.(Citation: Guardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap)
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_detection | ||
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016. | |
| external_references | STA-22 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-T1054 | |
| external_references | STA-22 | |
| external_references | John Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2021-09-30 18:45:26.323000+00:00 | 2022-04-06 15:53:54.872000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Betanews-Simswap |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html | http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/ |
| external_references[2]['source_name'] | NYGov-Simswap | Krebs-SimSwap |
| external_references[2]['description'] | New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016. | Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account. Retrieved November 8, 2018. |
| external_references[2]['url'] | http://www.dos.ny.gov/consumerprotection/scams/att-sim.html | https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/ |
| external_references[3]['source_name'] | Motherboard-Simswap2 | TechCrunch-SimSwap |
| external_references[3]['description'] | Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018. | John Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018. |
| external_references[3]['url'] | https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam | https://techcrunch.com/2017/08/23/i-was-hacked/ |
| external_references[4]['source_name'] | Betanews-Simswap | Motherboard-Simswap2 |
| external_references[4]['description'] | Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016. | Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018. |
| external_references[4]['url'] | http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/ | https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam |
| external_references[5]['source_name'] | Guardian-Simswap | Motherboard-Simswap1 |
| external_references[5]['description'] | Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016. | Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018. |
| external_references[5]['url'] | https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters | https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin |
| external_references[6]['source_name'] | Motherboard-Simswap1 | Guardian-Simswap |
| external_references[6]['description'] | Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018. | Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016. |
| external_references[6]['url'] | https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin | https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters |
| external_references[7]['source_name'] | Krebs-SimSwap | NYGov-Simswap |
| external_references[7]['description'] | Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account. Retrieved November 8, 2018. | New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016. |
| external_references[7]['url'] | https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/ | http://www.dos.ny.gov/consumerprotection/scams/att-sim.html |
| external_references[8]['source_name'] | TechCrunch-SimSwap | NIST Mobile Threat Catalogue |
| external_references[8]['url'] | https://techcrunch.com/2017/08/23/i-was-hacked/ | https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html |
Current version: 1.4
Version changed from: 1.3 → 1.4
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack', 'mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 15:32:08.360000+00:00 | 2022-03-02 15:47:13.329000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-10-16 01:48:10.412000+00:00 | 2021-12-07 14:46:08.852000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['Adups'] | |
| x_mitre_old_attack_id | MOB-S0025 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['Allwinner'] | |
| x_mitre_old_attack_id | MOB-S0035 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['AndroRAT'] | |
| x_mitre_old_attack_id | MOB-S0008 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/ |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['BrainTest'] | |
| x_mitre_old_attack_id | MOB-S0009 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-12-11 20:40:31.461000+00:00 | 2022-04-15 15:36:43.770000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[1]['source_name'] | BrainTest | CheckPoint-BrainTest |
| external_references[1]['description'] | (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest) | Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest – A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016. |
| external_references[2]['source_name'] | CheckPoint-BrainTest | Lookout-BrainTest |
| external_references[2]['description'] | Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest – A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016. | Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016. |
| external_references[2]['url'] | http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/ | https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/ |
| x_mitre_version | 1.1 | 1.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Lookout-BrainTest', 'description': 'Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.', 'url': 'https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/'} |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['DressCode'] | |
| x_mitre_old_attack_id | MOB-S0016 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['DualToy'] | |
| x_mitre_old_attack_id | MOB-S0031 | |
| x_mitre_platforms | ['Android', 'iOS'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['HummingBad'] | |
| x_mitre_old_attack_id | MOB-S0038 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['HummingWhale'] | |
| x_mitre_old_attack_id | MOB-S0037 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['Judy'] | |
| x_mitre_old_attack_id | MOB-S0041 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['KeyRaider'] | |
| x_mitre_old_attack_id | MOB-S0004 | |
| x_mitre_platforms | ['iOS'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['Marcher'] | |
| x_mitre_old_attack_id | MOB-S0033 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references[1]['source_name'] | Marcher | Proofpoint-Marcher |
| external_references[1]['description'] | (Citation: Proofpoint-Marcher) | Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018. |
| x_mitre_version | 1.1 | 1.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Proofpoint-Marcher', 'description': 'Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.', 'url': 'https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks'} |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['MazarBOT'] | |
| x_mitre_old_attack_id | MOB-S0019 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['NotCompatible'] | |
| x_mitre_old_attack_id | MOB-S0015 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['OBAD'] | |
| x_mitre_old_attack_id | MOB-S0002 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['OldBoot'] | |
| x_mitre_old_attack_id | MOB-S0001 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['PJApps'] | |
| x_mitre_old_attack_id | MOB-S0007 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['RuMMS'] | |
| x_mitre_old_attack_id | MOB-S0029 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['ShiftyBug'] | |
| x_mitre_old_attack_id | MOB-S0010 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['Trojan-SMS.AndroidOS.Agent.ao'] | |
| x_mitre_old_attack_id | MOB-S0023 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['Trojan-SMS.AndroidOS.FakeInst.a'] | |
| x_mitre_old_attack_id | MOB-S0022 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['Trojan-SMS.AndroidOS.OpFake.a'] | |
| x_mitre_old_attack_id | MOB-S0024 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['WireLurker'] | |
| x_mitre_old_attack_id | MOB-S0028 | |
| x_mitre_platforms | ['iOS'] |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references[1]['description'] | (Citation: PaloAlto-WireLurker) | Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017. |
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['X-Agent for Android'] | |
| x_mitre_old_attack_id | MOB-S0030 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['Xbot'] | |
| x_mitre_old_attack_id | MOB-S0014 | |
| x_mitre_platforms | ['Android'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['XcodeGhost'] | |
| x_mitre_old_attack_id | MOB-S0013 | |
| x_mitre_platforms | ['iOS'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['YiSpecter'] | |
| x_mitre_old_attack_id | MOB-S0027 | |
| x_mitre_platforms | ['iOS'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.0
Version changed from: 1.1 → 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_aliases | ['ZergHelper'] | |
| x_mitre_old_attack_id | MOB-S0003 | |
| x_mitre_platforms | ['iOS'] |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_version | 1.1 | 1.0 |
Current version: 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-S0036 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-08-09 18:02:06.618000+00:00 | 2022-05-20 17:13:16.506000+00:00 |
| external_references[0]['source_name'] | mitre-mobile-attack | mitre-attack |
| external_references[2]['source_name'] | Zscaler-SuperMarioRun | Proofpoint-Droidjack |
| external_references[2]['description'] | Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017. | Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017. |
| external_references[2]['url'] | https://www.zscaler.com/blogs/research/super-mario-run-malware-2-–-droidjack-rat | https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app |
| external_references[3]['source_name'] | Proofpoint-Droidjack | Zscaler-SuperMarioRun |
| external_references[3]['description'] | Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017. | Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017. |
| external_references[3]['url'] | https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app | https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat |
Current version: 4.0
Version changed from: 3.2 → 4.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2021-10-18 20:34:03.233000+00:00 | 2022-03-16 18:08:13.958000+00:00 |
| external_references[2]['source_name'] | SNAKEMACKEREL | IRON TWILIGHT |
| external_references[2]['description'] | (Citation: Accenture SNAKEMACKEREL Nov 2018) | (Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
| external_references[3]['source_name'] | Swallowtail | SNAKEMACKEREL |
| external_references[3]['description'] | (Citation: Symantec APT28 Oct 2018) | (Citation: Accenture SNAKEMACKEREL Nov 2018) |
| external_references[4]['source_name'] | Group 74 | Swallowtail |
| external_references[4]['description'] | (Citation: Talos Seduploader Oct 2017) | (Citation: Symantec APT28 Oct 2018) |
| external_references[5]['source_name'] | Sednit | Group 74 |
| external_references[5]['description'] | This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT.(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018) | (Citation: Talos Seduploader Oct 2017) |
| external_references[6]['source_name'] | Sofacy | Sednit |
| external_references[6]['description'] | This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017) | This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018) |
| external_references[7]['source_name'] | Pawn Storm | Sofacy |
| external_references[7]['description'] | (Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) | This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017) |
| external_references[8]['source_name'] | Fancy Bear | Pawn Storm |
| external_references[8]['description'] | (Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) | (Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) |
| external_references[9]['source_name'] | STRONTIUM | Fancy Bear |
| external_references[9]['description'] | (Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) | (Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| external_references[10]['source_name'] | Tsar Team | STRONTIUM |
| external_references[10]['description'] | (Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017) | (Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| external_references[11]['source_name'] | Threat Group-4127 | Tsar Team |
| external_references[11]['description'] | (Citation: SecureWorks TG-4127) | (Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017) |
| external_references[12]['source_name'] | TG-4127 | Threat Group-4127 |
| external_references[13]['source_name'] | NSA/FBI Drovorub August 2020 | TG-4127 |
| external_references[13]['description'] | NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. | (Citation: SecureWorks TG-4127) |
| external_references[14]['source_name'] | Cybersecurity Advisory GRU Brute Force Campaign July 2021 | NSA/FBI Drovorub August 2020 |
| external_references[14]['description'] | NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. | NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. |
| external_references[14]['url'] | https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF | https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF |
| external_references[15]['source_name'] | DOJ GRU Indictment Jul 2018 | Cybersecurity Advisory GRU Brute Force Campaign July 2021 |
| external_references[15]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. |
| external_references[15]['url'] | https://www.justice.gov/file/1080281/download | https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF |
| external_references[16]['source_name'] | Ars Technica GRU indictment Jul 2018 | DOJ GRU Indictment Jul 2018 |
| external_references[16]['description'] | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. |
| external_references[16]['url'] | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ | https://www.justice.gov/file/1080281/download |
| external_references[17]['source_name'] | Crowdstrike DNC June 2016 | Ars Technica GRU indictment Jul 2018 |
| external_references[17]['description'] | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. |
| external_references[17]['url'] | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ |
| external_references[18]['source_name'] | FireEye APT28 | Crowdstrike DNC June 2016 |
| external_references[18]['description'] | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. |
| external_references[18]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
| external_references[19]['source_name'] | SecureWorks TG-4127 | FireEye APT28 |
| external_references[19]['description'] | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. |
| external_references[19]['url'] | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| external_references[20]['source_name'] | FireEye APT28 January 2017 | SecureWorks TG-4127 |
| external_references[20]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. |
| external_references[20]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign |
| external_references[21]['source_name'] | GRIZZLY STEPPE JAR | FireEye APT28 January 2017 |
| external_references[21]['description'] | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. |
| external_references[21]['url'] | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf |
| external_references[22]['source_name'] | Sofacy DealersChoice | GRIZZLY STEPPE JAR |
| external_references[22]['description'] | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. |
| external_references[22]['url'] | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf |
| external_references[23]['source_name'] | Palo Alto Sofacy 06-2018 | Sofacy DealersChoice |
| external_references[23]['description'] | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. |
| external_references[23]['url'] | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ |
| external_references[24]['source_name'] | Symantec APT28 Oct 2018 | Palo Alto Sofacy 06-2018 |
| external_references[24]['description'] | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. |
| external_references[24]['url'] | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ |
| external_references[25]['source_name'] | ESET Zebrocy May 2019 | Symantec APT28 Oct 2018 |
| external_references[25]['description'] | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. |
| external_references[25]['url'] | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government |
| external_references[26]['source_name'] | US District Court Indictment GRU Oct 2018 | ESET Zebrocy May 2019 |
| external_references[26]['description'] | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. |
| external_references[26]['url'] | https://www.justice.gov/opa/page/file/1098481/download | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ |
| external_references[27]['source_name'] | Kaspersky Sofacy | US District Court Indictment GRU Oct 2018 |
| external_references[27]['description'] | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. |
| external_references[27]['url'] | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ | https://www.justice.gov/opa/page/file/1098481/download |
| external_references[28]['source_name'] | ESET Sednit Part 3 | Kaspersky Sofacy |
| external_references[28]['description'] | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. |
| external_references[28]['url'] | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ |
| external_references[29]['source_name'] | Talos Seduploader Oct 2017 | ESET Sednit Part 3 |
| external_references[29]['description'] | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. |
| external_references[29]['url'] | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf |
| external_references[30]['source_name'] | Securelist Sofacy Feb 2018 | Talos Seduploader Oct 2017 |
| external_references[30]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. |
| external_references[30]['url'] | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html |
| external_references[31]['source_name'] | Accenture SNAKEMACKEREL Nov 2018 | Securelist Sofacy Feb 2018 |
| external_references[31]['description'] | Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. |
| external_references[31]['url'] | https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ |
| external_references[32]['source_name'] | TrendMicro Pawn Storm Dec 2020 | Secureworks IRON TWILIGHT Profile |
| external_references[32]['description'] | Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. | Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022. |
| external_references[32]['url'] | https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html | https://www.secureworks.com/research/threat-profiles/iron-twilight |
| external_references[33]['source_name'] | Microsoft STRONTIUM Aug 2019 | Secureworks IRON TWILIGHT Active Measures March 2017 |
| external_references[33]['description'] | MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. | Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. |
| external_references[33]['url'] | https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ | https://www.secureworks.com/research/iron-twilight-supports-active-measures |
| external_references[34]['source_name'] | Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020 | Accenture SNAKEMACKEREL Nov 2018 |
| external_references[34]['description'] | Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. | Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. |
| external_references[34]['url'] | https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ | https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 |
| x_mitre_version | 3.2 | 4.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| aliases | IRON TWILIGHT | |
| external_references | {'source_name': 'TrendMicro Pawn Storm Dec 2020', 'description': 'Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.', 'url': 'https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html'} | |
| external_references | {'source_name': 'Microsoft STRONTIUM Aug 2019', 'description': 'MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.', 'url': 'https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/'} | |
| external_references | {'source_name': 'Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020', 'description': 'Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.', 'url': 'https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/'} |
Current version: 2.2
Version changed from: 2.1 → 2.2
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Dragos Threat Intelligence'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2021-10-15 21:46:19.437000+00:00 | 2022-05-23 21:21:17.572000+00:00 |
| external_references[1]['source_name'] | Sandworm Team | VOODOO BEAR |
| external_references[1]['description'] | (Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[3]['source_name'] | Telebots | Sandworm Team |
| external_references[3]['description'] | (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[4]['source_name'] | IRON VIKING | Quedagh |
| external_references[4]['description'] | (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[6]['source_name'] | Quedagh | Telebots |
| external_references[6]['description'] | (Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[7]['source_name'] | VOODOO BEAR | IRON VIKING |
| external_references[7]['description'] | (Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[8]['source_name'] | US District Court Indictment GRU Unit 74455 October 2020 | US District Court Indictment GRU Oct 2018 |
| external_references[8]['description'] | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. |
| external_references[8]['url'] | https://www.justice.gov/opa/press-release/file/1328521/download | https://www.justice.gov/opa/page/file/1098481/download |
| external_references[9]['source_name'] | UK NCSC Olympic Attacks October 2020 | Dragos ELECTRUM |
| external_references[9]['description'] | UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. | Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. |
| external_references[9]['url'] | https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games | https://www.dragos.com/resource/electrum/ |
| external_references[10]['source_name'] | iSIGHT Sandworm 2014 | F-Secure BlackEnergy 2014 |
| external_references[10]['description'] | Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. |
| external_references[10]['url'] | https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf |
| external_references[11]['source_name'] | CrowdStrike VOODOO BEAR | iSIGHT Sandworm 2014 |
| external_references[11]['description'] | Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. | Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. |
| external_references[11]['url'] | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ | https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html |
| external_references[12]['source_name'] | USDOJ Sandworm Feb 2020 | CrowdStrike VOODOO BEAR |
| external_references[12]['description'] | Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020. | Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. |
| external_references[12]['url'] | https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ |
| external_references[13]['source_name'] | NCSC Sandworm Feb 2020 | InfoSecurity Sandworm Oct 2014 |
| external_references[13]['description'] | NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. | Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. |
| external_references[13]['url'] | https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory | https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/ |
| external_references[14]['source_name'] | US District Court Indictment GRU Oct 2018 | NCSC Sandworm Feb 2020 |
| external_references[14]['description'] | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. | NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. |
| external_references[14]['url'] | https://www.justice.gov/opa/page/file/1098481/download | https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory |
| external_references[15]['source_name'] | F-Secure BlackEnergy 2014 | USDOJ Sandworm Feb 2020 |
| external_references[15]['description'] | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. | Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020. |
| external_references[15]['url'] | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf | https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html |
| external_references[16]['source_name'] | InfoSecurity Sandworm Oct 2014 | US District Court Indictment GRU Unit 74455 October 2020 |
| external_references[16]['description'] | Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. |
| external_references[16]['url'] | https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/ | https://www.justice.gov/opa/press-release/file/1328521/download |
| external_references[17]['source_name'] | Dragos ELECTRUM | Secureworks IRON VIKING |
| external_references[17]['description'] | Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. | Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. |
| external_references[17]['url'] | https://www.dragos.com/resource/electrum/ | https://www.secureworks.com/research/threat-profiles/iron-viking |
| external_references[18]['source_name'] | Secureworks IRON VIKING | UK NCSC Olympic Attacks October 2020 |
| external_references[18]['description'] | Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. | UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. |
| external_references[18]['url'] | https://www.secureworks.com/research/threat-profiles/iron-viking | https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games |
| x_mitre_version | 2.1 | 2.2 |
Current version: 1.0
Description: Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service. Enterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device. Application Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2021-02-18 16:14:17.809000+00:00 | 2022-04-06 14:47:46.019000+00:00 |
Current version: 1.0
Description: Warn device users not to accept requests to grant Device Administrator access to applications without good reason. Additionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_old_attack_id | MOB-M1007 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-06 14:47:19.714000+00:00 |