{"description": "Mobile techniques used by DocSwap, ATT&CK software S9005 (v1.0)", "name": "DocSwap (S9005)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1453", "comment": "Once accessibility permissions are granted, [DocSwap](https://attack.mitre.org/software/S9005) has abused the Accessibility Service to execute a keylogging capability.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)    ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has sent a POST request to downcat.php while recording the access time and APK URL path.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1429", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to start and stop audio recording.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1616", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has requested for the `CALL_PHONE` permission to make phone calls.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `WRITE_EXTERNAL_STORAGE` permission.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1624", "showSubtechniques": true}, {"techniqueID": "T1624.001", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has registered the following intents to automatically execute MainService on device reboot: `android.intent.action.BOOT_COMPLETED`, `android.intent.action.ACTION_POWER_CONNECTED`, and `android.intent.action.ACTION_POWER_DISCONNECTED`.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)    ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1627", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has checked if the victim has accessed the malicious URL from a PC. If so, [DocSwap](https://attack.mitre.org/software/S9005) redirected the victim to scan the malicious QR code using a mobile device.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1646", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has used a hardcoded IP address and port for C2 and exfiltration over socket communication.(Citation: S2W_DocSwap_Mar2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1420", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `READ_EXTERNAL_STORAGE` and `MANAGE_EXTERNAL_STORAGE` permissions.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)   ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1541", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `FOREGROUND_SERVICE` permission.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025) [DocSwap](https://attack.mitre.org/software/S9005) has also used the StartForeground API to generate a notification saying \u201cTap to view more details or stop the app\u201d in Korean and to maintain persistence.(Citation: S2W_DocSwap_Mar2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.002", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to delete files and directories.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1544", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to upload and download files via socket communication.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "When an accessibility event occurs, [DocSwap](https://attack.mitre.org/software/S9005) has used a keylogger to record the target application\u2019s icon, package name, event text, and timestamp.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)    ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1430", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to collect location information and to start/stop location information from being sent to the C2 server.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has masqueraded as a VPN application, using the same package name (` com.bycomsolutions.bycomvpn `) and having similar file structure, metadata and code routines as the legitimate application.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1575", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has decrypted the encrypted APK file security.dat using the `decryptFile` function in the `native-lib` library.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)   ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has used an obfuscated APK file and Base64-encoded URLs and files.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1660", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has used phishing messages (smishing) and emails to gain initial access to devices.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.002", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has requested for the `READ_CALL_LOG` and `WRITE_CALL_LOG` permissions and has the ability to send call logs.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has requested for the `READ_CONTACTS` and `WRITE_CONTACTS` permissions and has the ability to send contact information.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `READ_SMS` and `RECEIVE_SMS` permissions.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) [DocSwap](https://attack.mitre.org/software/S9005) also has the ability to send SMS information, including the sender or receiver, the message content, and the timestamp.(Citation: S2W_DocSwap_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.005", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to send registered account information.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1418", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to send installed application information, including application name, package name, installation timestamp, icon, and properties.(Citation: S2W_DocSwap_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `LOCAL_MAC_ADDRESS` permission and has the ability to send system information.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1422", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `LOCAL_MAC_ADDRESS` and `READ_PRIVILEGED_PHONE_STATE` permissions.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1422.002", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has checked for the `ACCESS_WIFI_STATE` and `CHANGE_WIFI_STATE` permissions.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1512", "comment": "[DocSwap](https://attack.mitre.org/software/S9005) has the ability to start and stop camera recording.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by DocSwap", "color": "#66b1ff"}]}