{"description": "Mobile techniques used by VajraSpy, ATT&CK software S9006 (v1.0)", "name": "VajraSpy (S9006)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1453", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has exploited accessibility features to intercept and exfiltrate communication from WhatsApp, WhatsApp Business and Signal and to automatically enable necessary permissions on the user\u2019s behalf.(Citation: ESET_VajraSpy_Feb2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1517", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has monitored and exfiltrated notifications from messaging applications and from SMS messages.(Citation: ESET_VajraSpy_Feb2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1429", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has recorded surrounding audio and phone calls from WhatsApp, WhatsApp Business, Signal, and Telegram by requesting `android.permission.RECORD_AUDIO`.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1616", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has requested for `android.permission.CALL_PHONE`.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has collected files with specific extensions, such as .txt, .jpg, .Om4a, .aac and .opus, before exfiltration.(Citation: ESET_VajraSpy_Feb2024) [VajraSpy](https://attack.mitre.org/software/S9006) has also requested for `android.permission.WRITE_EXTERNAL_STORAGE` and `android.permission.READ_EXTERNAL_STORAGE`.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1639", "showSubtechniques": true}, {"techniqueID": "T1639.001", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has used Retrofit, an HTTP client for Android, to upload unencrypted data to the C2 server via HTTP.(Citation: ESET_VajraSpy_Feb2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1646", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has exfiltrated captured data to C2 via POST requests.(Citation: ESET_VajraSpy_Feb2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1420", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has searched for files with specific extensions, such as .txt, .jpg, .Om4a, .aac and .opus, before exfiltration.(Citation: ESET_VajraSpy_Feb2024)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has logged keystrokes of an infected device.(Citation: ESET_VajraSpy_Feb2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1430", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has exfiltrated the device\u2019s location.(Citation: ESET_VajraSpy_Feb2024) [VajraSpy](https://attack.mitre.org/software/S9006) has also requested for `android.permission.ACCESS_FINE_LOCATION` and `android.permission.ACCESS_COARSE_LOCATION` to obtain the device\u2019s location.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1461", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has requested for `android.permission.DISABLE_KEYGUARD` to disable the device lock screen password.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has masqueraded as messaging and news applications.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1660", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has used a romance trap scam to convince victims into downloading the trojanized application.(Citation: ESET_VajraSpy_Feb2024)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.002", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has collected and exfiltrated the call log.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has collected and exfiltrated the contact list.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has collected and exfiltrated SMS messages.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.005", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has requested for `android.permission.GET_ACCOUNTS`.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1418", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has obtained and exfiltrated a list of installed applications.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1409", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has collected messages in WhatsApp, WhatsApp Business, and Signal.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has requested for `android.permission.READ_PHONE_STATE` to collect information about the device.(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1422", "showSubtechniques": true}, {"techniqueID": "T1422.002", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has scanned for Wi-Fi networks.(Citation: ESET_VajraSpy_Feb2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1512", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has captured pictures using the device\u2019s camera by requesting for `android.permission.CAMERA`.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1481", "showSubtechniques": true}, {"techniqueID": "T1481.002", "comment": "[VajraSpy](https://attack.mitre.org/software/S9006) has used Firebase and Google Cloud Storage to send and receive C2 communications and to send collected data.(Citation: ESET_VajraSpy_Feb2024)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by VajraSpy", "color": "#66b1ff"}]}