adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ATT&CK v18.0 Mobile

Browse Source
This commit is contained in:
adpare
2025-10-27 14:36:06 -04:00
parent 3320ef6fcd
commit 816dc9c2d2
2636 changed files with 50256 additions and 10273 deletions
Download Patch File Download Diff File Expand all files Collapse all files
mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json
+10 -9
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--51a96195-406c-4369-85b1-c01bacd1299c",
"id": "bundle--b9a24c99-a7c0-4b31-8658-fb17757bbcc5",
"spec_version": "2.0",
"objects": [
{
@@ -8,27 +8,28 @@
"id": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
"created": "2020-11-04T16:43:31.619Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1603",
"external_id": "T1603"
},
{
"source_name": "Android WorkManager",
"description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.",
"url": "https://developer.android.com/topic/libraries/architecture/workmanager"
},
{
"source_name": "Apple NSBackgroundActivityScheduler",
"description": "Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.",
"url": "https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler"
},
{
"source_name": "Android WorkManager",
"description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.",
"url": "https://developer.android.com/topic/libraries/architecture/workmanager"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-25T15:16:26.617Z",
"modified": "2025-10-24T17:48:18.936Z",
"name": "Scheduled Task/Job",
"description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)",
"kill_chain_phases": [
@@ -41,12 +42,12 @@
"phase_name": "persistence"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Lorin Wu, Trend Micro"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--f3f6b6d5-b99c-4576-9c4f-3cbd225a053b",
"id": "bundle--d8e69099-0094-4da6-bee9-85cb8ad00f00",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:35.582Z",
"modified": "2025-10-24T17:48:20.267Z",
"name": "Code Injection",
"description": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application\u2019s process.(Citation: Google Triada June 2019)\n",
"kill_chain_phases": [
@@ -53,7 +53,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Code injection can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json
+25 -25
View File
@@ -1,32 +1,9 @@
{
"type": "bundle",
"id": "bundle--d0e94233-4538-442d-9d99-92af56f6524a",
"id": "bundle--e6130947-8929-4522-bd36-6aaffd83d205",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-02-07T18:10:46.887Z",
"name": "Adversary-in-the-Middle",
"description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic. \n\n\n Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.(Citation: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mitd_checkpoint_research) To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack. \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as [ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002) or [DHCP Spoofing](https://attack.mitre.org/techniques/T1557/003). \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple\u2019s Application Transport Security (ATS) and Android\u2019s Network Security Configuration (NSC) may prevent sensitive data leaks.(Citation: NSC_Android)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \n\n \n\nOn both Android and iOS, users must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. Users can see registered VPN services in the device settings. ",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "2.2",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"type": "attack-pattern",
"id": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
"created": "2022-04-05T20:11:08.894Z",
@@ -87,8 +64,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-10-24T17:48:21.401Z",
"name": "Adversary-in-the-Middle",
"description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic. \n\n\n Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.(Citation: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mitd_checkpoint_research) To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack. \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as [ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002) or [DHCP Spoofing](https://attack.mitre.org/techniques/T1557/003). \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple\u2019s Application Transport Security (ATS) and Android\u2019s Network Security Configuration (NSC) may prevent sensitive data leaks.(Citation: NSC_Android)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "2.2",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
}
]
}
mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--e043a6b9-15b4-4fe8-951b-d5934fe56303",
"id": "bundle--489a61cc-6050-4d9d-98dc-fc326410ce65",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:43.814Z",
"modified": "2025-10-24T17:48:21.493Z",
"name": "Abuse Elevation Control Mechanism",
"description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "When an application requests administrator permission, users are presented with a popup and the option to grant or deny the request. Application vetting services can detect when an application requests administrator permission. Extra scrutiny could be applied to applications that do",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--77d954ea-653a-4932-aac5-d2044d08d3a3",
"id": "bundle--97a3ff6e-34e0-41e4-84b0-cdf19bc1dec6",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json
-46
View File
@@ -1,46 +0,0 @@
{
"type": "bundle",
"id": "bundle--aa214418-46bf-4be8-b565-54ad0ee7f363",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"created": "2017-10-25T14:48:08.155Z",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1454",
"external_id": "T1454"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-25T15:16:27.255Z",
"name": "Malicious SMS Message",
"description": "Test",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
}
]
}
mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--3ca9a3de-a447-45b9-8400-9e89dfd738d8",
"id": "bundle--932bc703-242c-4fec-b912-f28112397b84",
"spec_version": "2.0",
"objects": [
{
@@ -39,7 +39,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:35.994Z",
"modified": "2025-10-24T17:48:22.923Z",
"name": "Obtain Device Cloud Backups",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.",
"kill_chain_phases": [
@@ -50,7 +50,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--99273979-078d-4af5-b126-0fd4372344d2",
"id": "bundle--63dc2355-4a16-4349-8ec9-6434a5c6fa82",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:44.210Z",
"modified": "2025-10-24T17:48:23.278Z",
"name": "Uninstall Malicious Application",
"description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of the accessibility service or features that typically require root access.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--3df9eb2c-e7ee-47cb-bd69-3d15fbd3af9a",
"id": "bundle--4da9dfef-45ba-47d6-a84d-1a465a7cbcfa",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:44.391Z",
"modified": "2025-10-24T17:48:23.556Z",
"name": "Indicator Removal on Host",
"description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json
+25 -25
View File
@@ -1,32 +1,9 @@
{
"type": "bundle",
"id": "bundle--c2c492c1-455c-44e9-af82-a3bf6dac2de2",
"id": "bundle--645cd524-7529-4051-aac3-f7021ae58be6",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-11-17T13:32:52.029Z",
"name": "Supply Chain Compromise",
"description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "2.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"type": "attack-pattern",
"id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"created": "2018-10-17T00:14:20.652Z",
@@ -167,8 +144,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-10-24T17:48:23.643Z",
"name": "Supply Chain Compromise",
"description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "2.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
}
]
}
mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json
+26 -26
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--adc93276-f8ed-4489-8872-106a9e1b373a",
"id": "bundle--3ea64bf2-3508-4ca1-8921-da967eeda36d",
"spec_version": "2.0",
"objects": [
{
"modified": "2025-01-21T16:22:43.947Z",
"name": "Impersonate SS7 Nodes",
"description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "1.1",
"type": "attack-pattern",
"id": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
"created": "2022-04-05T19:49:58.938Z",
@@ -77,8 +53,32 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-10-24T17:48:24.309Z",
"name": "Impersonate SS7 Nodes",
"description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "1.1"
}
]
}
mobile-attack/attack-pattern/attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a5d36ffd-ecab-4480-9695-e322c558dffa",
"id": "bundle--2694046f-b76d-48e9-947c-af2eb3c17ece",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json
+3 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--50571c48-f515-43aa-b52e-007f00dda6d6",
"id": "bundle--ca5c379d-4be2-48f6-9dfe-6d781eacc406",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-25T15:16:27.908Z",
"modified": "2025-10-24T17:48:25.548Z",
"name": "Insecure Third-Party Libraries",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--26e4e6c3-04cb-40b9-b6ed-64a828067933",
"id": "bundle--0dbce179-855b-486e-8204-f66012e8bcb9",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:44.829Z",
"modified": "2025-10-24T17:48:25.642Z",
"name": "Protected User Data",
"description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application\u2019s manifest. On iOS, they must be included in the application\u2019s `Info.plist` file. \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Users can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--89f6c519-547d-47ce-a924-6562bd169979",
"id": "bundle--97763594-f82c-4121-ac99-39d29c899794",
"spec_version": "2.0",
"objects": [
{
@@ -18,7 +18,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:44.987Z",
"modified": "2025-10-24T17:48:26.898Z",
"name": "Asymmetric Cryptography",
"description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).",
"kill_chain_phases": [
@@ -29,7 +29,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--8e1fec25-02ea-41dd-be98-ff618681a31e",
"id": "bundle--a32ce865-86c1-4f75-8a0f-ce7cfd1d65d6",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:45.152Z",
"modified": "2025-10-24T17:48:27.789Z",
"name": "Software Discovery",
"description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--29f55549-32db-4659-9a54-f21b414ff1aa",
"id": "bundle--d8113551-aac7-4e5e-bf3a-34452df62a09",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:45.337Z",
"modified": "2025-10-24T17:48:28.244Z",
"name": "Process Discovery",
"description": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--2de73dd6-ad1a-443c-aba5-c08a68e8f3ac",
"id": "bundle--bdbeace3-5e7f-448b-aef8-ec2a30602fee",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:45.503Z",
"modified": "2025-10-24T17:48:29.311Z",
"name": "Call Log",
"description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. ",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--e0377146-02bd-4b0f-b90e-38265c5d9109",
"id": "bundle--d9fa51c5-4997-4e70-bf07-6f907d2c174a",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:45.687Z",
"modified": "2025-10-24T17:48:29.485Z",
"name": "Security Software Discovery",
"description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json
+3 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--b6e27845-b51c-4cae-9ed2-8651f62bd8e5",
"id": "bundle--b0ff9a20-f6c5-4cab-b9e7-ec36e3946754",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-25T15:16:28.664Z",
"modified": "2025-10-24T17:48:30.211Z",
"name": "App Delivered via Email Attachment",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--3cc5bf47-9c83-41a3-aa37-13f49804224f",
"id": "bundle--0fa6a848-9e77-46fe-adb6-cf4abe883d34",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:45.841Z",
"modified": "2025-10-24T17:48:30.394Z",
"name": "Ptrace System Calls",
"description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.",
"kill_chain_phases": [
@@ -49,7 +49,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--8553cd28-71aa-4cd6-8196-8c2966818f40",
"id": "bundle--d75b477f-514d-48d8-b318-a16df1eb0516",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:45.996Z",
"modified": "2025-10-24T17:48:30.589Z",
"name": "Impair Defenses",
"description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json
+17 -30
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--26d8a0c3-fd0e-45f1-b974-95ea8771094d",
"id": "bundle--75c53808-a7cb-40c9-8298-c3c6e07cf0a1",
"spec_version": "2.0",
"objects": [
{
@@ -8,34 +8,30 @@
"id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"created": "2017-10-25T14:48:08.613Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1453",
"external_id": "T1453"
},
{
"source_name": "Skycure-Accessibility",
"description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.",
"url": "https://www.skycure.com/blog/accessibility-clickjacking/"
"source_name": "Google_AndroidAcsOverview",
"description": "Google. (n.d.). Android accessibility overview. Retrieved April 17, 2025.",
"url": "https://support.google.com/accessibility/android/answer/6006564?hl=en&ref_topic=6007234&sjid=9936713164149272548-NA"
},
{
"source_name": "android-trojan-steals-paypal-2fa",
"description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.",
"url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"
},
{
"source_name": "banking-trojans-google-play",
"description": "Luk\u00e1\u0161 \u0160tefanko. (2018, October 24). Banking Trojans continue to surface on Google Play. Retrieved July 11, 2019.",
"url": "https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/"
"source_name": "SahinSRLabs_FluBot_Dec2021",
"description": "\u015eahin, Erdo\u011fan Ya\u011f\u0131z. (2021, December 21). When your phone gets sick: FluBot abuses Accessibility features to steal data. Retrieved April 16, 2025.",
"url": "https://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-25T15:16:29.002Z",
"modified": "2025-10-27T17:12:01.143Z",
"name": "Abuse Accessibility Features",
"description": "**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**\n\nA malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)\n\nAdversaries may abuse accessibility features on Android to emulate a user's clicks, for example to steal money from a user's bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)\n\nAdversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the \"Back\" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)",
"description": "Adversaries may abuse accessibility features in Android devices to steal sensitive data and to spread malware to other devices. Accessibility features in Android are designed to assist users with disabilities, performing a variety of tasks, such as using Action Blocks to control lightbulbs, and changing the device\u2019s user interface, such as changing the font size and adjusting contract or colors.(Citation: Google_AndroidAcsOverview) \n\nOne example of how adversaries abuse accessibility features is overlaying an HTML object mimicking a legitimate login screen. The user types their credentials in the overlay HTML object, which is then sent to the adversaries.(Citation: SahinSRLabs_FluBot_Dec2021) \n\nAnother example is a malicious accessibility feature acting as a keylogger. The keylogger monitors changes on the EditText fields and sends it to the adversaries.(Citation: SahinSRLabs_FluBot_Dec2021) This method of attack is also described in [Keylogging](https://attack.mitre.org/techniques/T1417/001); whereas [Abuse Accessibility Features](https://attack.mitre.org/techniques/T1453) captures the overall abuse of accessibility features. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
@@ -44,21 +40,15 @@
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Luk\u00e1\u0161 \u0160tefanko, ESET"
"Luk\u00e1\u0161 \u0160tefanko, ESET",
"Liran Ravich, CardinalOps"
],
"x_mitre_deprecated": true,
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -67,10 +57,7 @@
"x_mitre_platforms": [
"Android"
],
"x_mitre_version": "2.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
"x_mitre_version": "3.0"
}
]
}
mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a7850175-b3f4-4b53-8992-c7fb2b044c75",
"id": "bundle--54db90a6-9c76-40b5-84c8-b7e0064e14e0",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:46.157Z",
"modified": "2025-10-24T17:48:31.144Z",
"name": "Exploitation of Remote Services",
"description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device\u2019s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.\n\nNetwork traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \n\nApplication vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--99d1e0b1-0995-4e6c-a94d-be66ff9054c9",
"id": "bundle--9f495371-e3d5-49e7-88bc-d14b22b27739",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:46.363Z",
"modified": "2025-10-24T17:48:31.318Z",
"name": "Web Protocols",
"description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json
+25 -25
View File
@@ -1,32 +1,9 @@
{
"type": "bundle",
"id": "bundle--abdc4627-4311-40b1-a845-a16de74c9183",
"id": "bundle--b6b3d600-1a81-4b61-9f0f-8bfb4eb31cab",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-12-26T19:17:13.294Z",
"name": "Steal Application Access Token",
"description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system \u201cOpen With\u201d dialogue. \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "1.2",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"type": "attack-pattern",
"id": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
"created": "2022-04-01T15:12:50.740Z",
@@ -67,8 +44,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-10-24T17:48:31.876Z",
"name": "Steal Application Access Token",
"description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system \u201cOpen With\u201d dialogue. \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "1.2",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
}
]
}
mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--18801b39-2dc8-4678-a737-33b1d0f1c61b",
"id": "bundle--cb40a25d-2495-434e-bfb8-ee7d4287790f",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:46.535Z",
"modified": "2025-10-24T17:48:32.337Z",
"name": "User Evasion",
"description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--b4f27fd0-8e9e-46fc-b5fd-f10e0a8f163f",
"id": "bundle--54454dc5-cfee-4aee-a421-b7eb84c009be",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:46.725Z",
"modified": "2025-10-24T17:48:32.877Z",
"name": "Virtualization/Sandbox Evasion",
"description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--c6dd63a2-b13a-4a7f-8760-068b3f4471aa",
"id": "bundle--d13f6a91-d64e-4c0e-a88c-4ff571b4b001",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:36.750Z",
"modified": "2025-10-24T17:48:32.963Z",
"name": "Keychain",
"description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--4fac8897-9ac0-4c1b-af67-fcde00b5e9ad",
"id": "bundle--668e1c8a-32ff-46d1-b84b-4a731f2ff549",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--03cf9378-9d70-4a3b-a9cc-2abb5ce1d4c2",
"id": "bundle--da2c5713-4c68-48dd-8c93-2033b1bd2145",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--64b02827-1e1c-4f6f-804d-e6c9628ca99b",
"id": "bundle--83013c73-701f-41bc-b70f-fa10a7ec4e5a",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:46.879Z",
"modified": "2025-10-24T17:48:33.677Z",
"name": "Command and Scripting Interpreter",
"description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java\u2019s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--5c23d7ae-0a99-4630-b606-b7266799a1cc",
"id": "bundle--58cd1e10-9e1a-46dd-9bbd-19df38204f12",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:47.026Z",
"modified": "2025-10-24T17:48:33.763Z",
"name": "Disable or Modify Tools",
"description": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Users can view a list of active device administrators in the device settings.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--df20b58f-cb0a-484b-b305-a3f37e074c9a",
"id": "bundle--8d2919c7-cd86-411f-9b17-9d43032dfc5a",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:47.175Z",
"modified": "2025-10-24T17:48:34.355Z",
"name": "Ingress Tool Transfer",
"description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--6515534f-9326-4710-b557-4f7940d989bb",
"id": "bundle--44736e69-6c89-4c6d-bcac-5a63efb9619f",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:47.329Z",
"modified": "2025-10-24T17:48:34.706Z",
"name": "Dynamic Resolution",
"description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--b6a50b72-a5b5-41f7-9768-7f7f8e725343",
"id": "bundle--2c9f3846-b49e-4351-b2d3-cfbdbd28a43e",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--df7965a0-1293-4662-ab94-273f162cd519",
"id": "bundle--ccfa1a4e-327a-4f2e-b9f1-c4a714543851",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:47.481Z",
"modified": "2025-10-24T17:48:35.175Z",
"name": "Network Service Scanning",
"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--6cf398ba-ecc9-408d-ad3d-854a3cff4a8e",
"id": "bundle--dc7938c9-4f26-4cfa-86c2-a89f8f1afb42",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:37.306Z",
"modified": "2025-10-24T17:48:35.718Z",
"name": "User Evasion",
"description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--bc308658-9036-4234-86a0-930fd3b9e6df",
"id": "bundle--4b049405-e874-4918-8dd0-be87aacc19db",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:47.650Z",
"modified": "2025-10-24T17:48:36.720Z",
"name": "Exfiltration Over C2 Channel",
"description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747.json
+54
View File
@@ -0,0 +1,54 @@
{
"type": "bundle",
"id": "bundle--1661bf18-5f14-484a-82c5-bea790b9aa01",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
"created": "2025-09-17T14:58:52.520Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1636/005",
"external_id": "T1636.005"
},
{
"source_name": "Android_AccountManager_Feb2025",
"description": "Android. (2025, February 13). AccountManager. Retrieved September 2, 2025.",
"url": "https://developer.android.com/reference/android/accounts/AccountManager"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-09-17T15:21:58.225Z",
"name": "Accounts",
"description": "Adversaries may utilize standard operating system APIs to gather account data. On Android, this can be accomplished by using the AccountManager API. For example, adversaries may use the `getAccounts()` method to list all accounts.(Citation: Android_AccountManager_Feb2025) On iOS, this can be accomplished by using the Keychain services. \n\nIf the device has been jailbroken or rooted, adversaries may be able to access [Accounts](https://attack.mitre.org/techniques/T1636/005) without the users\u2019 knowledge or approval. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Google's Android Security team"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "1.0"
}
]
}
mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--7cdd5187-af1f-46b2-a861-02b5227c5c72",
"id": "bundle--39e68a53-3a98-49db-ae2c-ec4ac9cd5df3",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:47.809Z",
"modified": "2025-10-24T17:48:38.088Z",
"name": "Exploitation for Privilege Escalation",
"description": "Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--dafcdebb-aaf2-4d1c-9ab4-a71896a3ec57",
"id": "bundle--6a6c2345-86eb-4ce8-833b-cc24fcb3076e",
"spec_version": "2.0",
"objects": [
{
@@ -44,7 +44,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:47.962Z",
"modified": "2025-10-24T17:48:38.183Z",
"name": "Call Control",
"description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.",
"kill_chain_phases": [
@@ -66,7 +66,7 @@
"Gaetan van Diemen, ThreatFabric"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--9272923c-83da-466d-9017-e8bb40cc988c",
"id": "bundle--4048a2c7-ae0b-47c7-b712-316c24ef1ec5",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:48.130Z",
"modified": "2025-10-24T17:48:38.977Z",
"name": "Exfiltration Over Unencrypted Non-C2 Protocol",
"description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--445b9d16-a5b4-4243-9bba-c07904283858",
"id": "bundle--98737477-c6cf-4f27-9be7-d0ca0dd05ca6",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:48.286Z",
"modified": "2025-10-24T17:48:39.155Z",
"name": "Broadcast Receivers",
"description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ",
"kill_chain_phases": [
@@ -38,7 +38,7 @@
"Alex Hinchliffe, Palo Alto Networks"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--5928e5f8-123e-44fc-9e3a-8f42b9c7e084",
"id": "bundle--3468beeb-eebb-443e-a153-92f50a2f187f",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--6ff6943f-8dcf-4fcc-aff0-3587b193a572",
"id": "bundle--bef474b3-153c-45fe-9584-c60f82d3d7ea",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--d2a179d1-6f52-4bbe-b3ae-f288566947ac",
"id": "bundle--c9fa8552-df54-4d89-b3d0-b3ea8077d86d",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:48.448Z",
"modified": "2025-10-24T17:48:40.140Z",
"name": "Access Notifications",
"description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ",
"kill_chain_phases": [
@@ -39,7 +39,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--74780307-e80d-4d62-b037-ba04200193f1",
"id": "bundle--96a7ee2f-98cd-4ed9-ad0c-ad4033cb67cf",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:37.855Z",
"modified": "2025-10-24T17:48:40.404Z",
"name": "Network Traffic Capture or Redirection",
"description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.",
"kill_chain_phases": [
@@ -39,7 +39,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--e771c16c-894a-440d-8334-f9c6ce23b3dc",
"id": "bundle--a6f28086-9258-4dc1-a690-933b0c029531",
"spec_version": "2.0",
"objects": [
{
@@ -84,7 +84,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:38.043Z",
"modified": "2025-10-24T17:48:41.397Z",
"name": "Input Prompt",
"description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)",
"kill_chain_phases": [
@@ -95,7 +95,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--28928059-16cd-4742-92be-f2573cdde669",
"id": "bundle--e320a6ac-57c4-4322-b846-d57e564d42ee",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:48.656Z",
"modified": "2025-10-24T17:48:41.491Z",
"name": "Exfiltration Over Alternative Protocol",
"description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--06f060a1-6b02-42b4-b5f4-c8628256fb58",
"id": "bundle--9aaeb57b-3b60-4386-ba94-1612c8c09969",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json
+3 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a71497c1-c70c-48c3-910a-37476d9fd463",
"id": "bundle--67dc9cfc-c8da-4c22-9a87-955b493881dd",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-25T15:16:31.363Z",
"modified": "2025-10-24T17:48:43.592Z",
"name": "Biometric Spoofing",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--2d3cd22d-7f78-407c-b3bb-848ee83b8b04",
"id": "bundle--ee1d4b73-217a-4a1b-ae88-5bcd21bc1c0a",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:48.836Z",
"modified": "2025-10-24T17:48:43.758Z",
"name": "Boot or Logon Initialization Scripts",
"description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json
+25 -25
View File
@@ -1,32 +1,9 @@
{
"type": "bundle",
"id": "bundle--8bd2af86-122b-4eca-b874-c4003f660508",
"id": "bundle--02fa54ca-a87e-403c-a863-24c684ed6cb9",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-11-17T18:31:54.804Z",
"name": "Execution Guardrails",
"description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Detecting the use of guardrails may be difficult depending on the implementation. Users can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. Application vetting services can detect unnecessary and potentially permissions or API calls.",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"type": "attack-pattern",
"id": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
"created": "2022-03-30T20:31:16.624Z",
@@ -47,8 +24,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-10-24T17:48:44.210Z",
"name": "Execution Guardrails",
"description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
}
]
}
mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json
+29 -29
View File
@@ -1,36 +1,9 @@
{
"type": "bundle",
"id": "bundle--547c7c95-8f62-4eda-b789-3fd0c152705e",
"id": "bundle--0fe9ab84-0892-4072-9317-09630d8a5d65",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-11-17T18:58:58.592Z",
"name": "GUI Input Capture",
"description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Android users can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \n\nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"type": "attack-pattern",
"id": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
"created": "2022-04-05T19:48:31.195Z",
@@ -101,8 +74,35 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-10-24T17:48:45.045Z",
"name": "GUI Input Capture",
"description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
}
]
}
mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--eb740bb7-d12b-4941-bf62-5d34724533c7",
"id": "bundle--9801be16-4a4d-49c5-96eb-1ed9db04dbd5",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:38.397Z",
"modified": "2025-10-24T17:48:45.330Z",
"name": "Access Contact List",
"description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a6490d85-fe67-44f8-bd9e-48b7b5313112",
"id": "bundle--eede6a79-0c27-478f-ae11-9391b9f8849b",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:49.029Z",
"modified": "2025-10-24T17:48:45.611Z",
"name": "Compromise Client Software Binary",
"description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Application vetting services could detect applications trying to modify files in protected parts of the operating system.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--98be12df-3041-4690-9b8a-337958c52e73",
"id": "bundle--587e09dd-18c9-4731-8798-48eabb3e0771",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:49.224Z",
"modified": "2025-10-24T17:48:46.514Z",
"name": "Software Packing",
"description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json
+3 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--8b653007-23b7-4c60-86c6-0d72c76092f0",
"id": "bundle--9051b344-d45c-44c0-a3dc-4bfe25d1e04a",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-25T15:16:31.975Z",
"modified": "2025-10-24T17:48:46.777Z",
"name": "Abuse of iOS Enterprise App Signing Key",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--e4b93ea2-e2cb-47c6-aad5-58d43162b28f",
"id": "bundle--3e929b51-d156-48f9-95c2-df7f3cbd5520",
"spec_version": "2.0",
"objects": [
{
@@ -53,7 +53,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:38.781Z",
"modified": "2025-10-24T17:48:47.128Z",
"name": "Exploit SS7 to Track Device Location",
"description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)",
"kill_chain_phases": [
@@ -64,7 +64,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--f20493ba-b7c2-4148-961f-01eb07b552a3",
"id": "bundle--85243bb2-145e-49fe-b4d8-9e44b9450e6c",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:49.389Z",
"modified": "2025-10-24T17:48:47.482Z",
"name": "Native API",
"description": "Adversaries may use Android\u2019s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)",
"kill_chain_phases": [
@@ -44,7 +44,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--e1c2ae7e-210d-41cb-9c15-dec6606b8deb",
"id": "bundle--5cb4881a-f625-462b-9ef9-ae8ed57c0275",
"spec_version": "2.0",
"objects": [
{
@@ -54,7 +54,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:39.001Z",
"modified": "2025-10-24T17:48:47.664Z",
"name": "Deliver Malicious App via Other Means",
"description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)",
"kill_chain_phases": [
@@ -65,7 +65,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--36f50c52-0d11-4d92-900e-189d3c79f825",
"id": "bundle--39c15d81-9d7c-44f2-892b-9bee8868928b",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:39.181Z",
"modified": "2025-10-24T17:48:47.844Z",
"name": "Remotely Wipe Data Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_detection": "Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--ed36c0fe-5cd1-4a15-a81c-79bcbaf04e65",
"id": "bundle--103c4b78-b373-4255-b180-d620f91b9142",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--626bc01d-e5aa-4d1c-b541-a1afc17a8516",
"id": "bundle--7df69923-4260-406e-8ea5-8fc2d2d1f560",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:49.548Z",
"modified": "2025-10-24T17:48:50.301Z",
"name": "Proxy Through Victim",
"description": "Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary\u2019s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)\n\nThe most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--b45b3611-a6aa-4008-bc7e-6b4793fbd572",
"id": "bundle--c5a3714b-d5e7-4a72-96df-44fb3855a9b9",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:39.358Z",
"modified": "2025-10-24T17:48:50.736Z",
"name": "Domain Generation Algorithms",
"description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--4af84028-d61c-4fa4-8e36-4bdbc6332e9a",
"id": "bundle--063f9579-0d15-4006-b4cb-17fe522f8887",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:39.545Z",
"modified": "2025-10-24T17:48:51.462Z",
"name": "Access Calendar Entries",
"description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--f829fd71-7540-4195-838d-36f61bc5be6b",
"id": "bundle--4377d159-f871-44bb-952f-e20ae5eb6dcc",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--22827c75-2dcc-4329-b1cc-56d65aaba2e1",
"id": "bundle--94ec55fc-9717-4eba-bbfb-5e87ad23e7fe",
"spec_version": "2.0",
"objects": [
{
@@ -44,7 +44,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:49.743Z",
"modified": "2025-10-24T17:48:52.197Z",
"name": "Foreground Persistence",
"description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android\u2019s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device\u2019s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)",
"kill_chain_phases": [
@@ -62,7 +62,7 @@
"Lorin Wu, Trend Micro"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--e2caa661-a90a-45ad-9dc3-aa245521c6cd",
"id": "bundle--1bbf421c-d068-452c-98b5-cd76c6617d06",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--270fb82b-25ae-4f2e-a536-b8bd5b4e82b3",
"id": "bundle--1173e981-e214-476c-be9b-63882f0da038",
"spec_version": "2.0",
"objects": [
{
@@ -49,7 +49,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:49.937Z",
"modified": "2025-10-24T17:48:52.833Z",
"name": "Audio Capture",
"description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user. \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)",
"kill_chain_phases": [
@@ -60,7 +60,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\n \n\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. \n\n \n\nIn both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--26defdc0-ed68-4f65-bb43-8f65195cab51",
"id": "bundle--37aa901b-6dcd-4f0d-be91-c124e36393db",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:50.121Z",
"modified": "2025-10-24T17:48:53.101Z",
"name": "Hijack Execution Flow",
"description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--2ea3465b-af85-4725-9aa5-d8310be15491",
"id": "bundle--d6b0bfe8-e198-4def-bb64-692e8f560db9",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:50.314Z",
"modified": "2025-10-24T17:48:54.078Z",
"name": "Unix Shell",
"description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--5dd72193-51c9-4e8a-b030-addc61dcd580",
"id": "bundle--b1185406-114f-446e-8658-e23981a585ba",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:50.479Z",
"modified": "2025-10-24T17:48:54.576Z",
"name": "Application Layer Protocol",
"description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json
+3 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--b3323d7f-827c-464c-826f-9841055c1cb7",
"id": "bundle--6851fb47-7332-4f86-818b-6edc28e56213",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-25T15:16:33.241Z",
"modified": "2025-10-24T17:48:55.097Z",
"name": "App Delivered via Web Download",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--8ba3ad66-ae7b-44c3-adfe-f82837c20edf",
"id": "bundle--740a92c7-9efb-4d80-b299-68018998d984",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:50.660Z",
"modified": "2025-10-24T17:48:55.445Z",
"name": "Download New Code at Runtime",
"description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and applications may employ other techniques to hide their use of these techniques.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--0aaebd1c-24b3-46c5-8e33-848e27a04c57",
"id": "bundle--ba7a4ee7-5559-4027-8d1b-d4d9c8f707be",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--de2098e6-345f-4e9d-b0c6-21b3038c0d38",
"id": "bundle--26dc77ab-d92f-4f97-b1b9-eb1033a55783",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:40.105Z",
"modified": "2025-10-24T17:48:55.981Z",
"name": "Remotely Track Device Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--42678bc9-e967-4f0c-b4b9-f5adfd8490c7",
"id": "bundle--527b3f26-287c-4219-86aa-c55629a93270",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:50.837Z",
"modified": "2025-10-24T17:48:56.336Z",
"name": "System Checks",
"description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json
+25 -25
View File
@@ -1,32 +1,9 @@
{
"type": "bundle",
"id": "bundle--3d3a7350-46ba-4001-b07f-ae955bd93500",
"id": "bundle--ee866d7c-75df-48d6-a980-b9d3d6992da0",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-11-17T18:31:54.805Z",
"name": "Stored Application Data",
"description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "3.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"type": "attack-pattern",
"id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"created": "2017-10-25T14:48:15.402Z",
@@ -52,8 +29,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-10-24T17:48:56.509Z",
"name": "Stored Application Data",
"description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "3.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
}
]
}
mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--4aa3e2a8-1b92-4a2d-a510-ee135404fe90",
"id": "bundle--f4a3b06f-774b-4fc8-828d-032bdcc8995c",
"spec_version": "2.0",
"objects": [
{
@@ -49,7 +49,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:50.988Z",
"modified": "2025-10-24T17:48:57.610Z",
"name": "Screen Capture",
"description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ",
"kill_chain_phases": [
@@ -60,7 +60,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--fdcc9c51-12ff-4ad9-a273-54810172dbb2",
"id": "bundle--327e84a4-89ba-41f2-8a98-8fcd10e3b3ab",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:51.156Z",
"modified": "2025-10-24T17:48:57.794Z",
"name": "Transmitted Data Manipulation",
"description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--3b6fb890-7064-4a40-a8d9-ac9972464cf2",
"id": "bundle--be5b658f-62a4-4be3-b357-39dfdf3c5020",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--b16a5920-70df-4b41-a74c-2a6c0ee2575a",
"id": "bundle--bc076c81-8ec0-419e-88ab-b1ebe8e4ab3f",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:40.453Z",
"modified": "2025-10-24T17:48:58.596Z",
"name": "URI Hijacking",
"description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3.json
+25 -25
View File
@@ -1,32 +1,9 @@
{
"type": "bundle",
"id": "bundle--b3e3076d-b1aa-4d94-9bda-05d13415d3a3",
"id": "bundle--eceebf8e-9c93-423a-8020-d852615d6d92",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-11-17T13:32:52.030Z",
"name": "Compromise Software Dependencies and Development Tools",
"description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"type": "attack-pattern",
"id": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
"created": "2022-03-28T19:31:51.978Z",
@@ -77,8 +54,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-10-24T17:48:58.857Z",
"name": "Compromise Software Dependencies and Development Tools",
"description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
}
]
}
mobile-attack/attack-pattern/attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a354456d-3bb6-45d4-a891-26b40099dfb6",
"id": "bundle--6f0c25ee-e455-494d-a2ed-048406d3a272",
"spec_version": "2.0",
"objects": [
{
@@ -49,7 +49,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:40.634Z",
"modified": "2025-10-24T17:48:58.965Z",
"name": "Evade Analysis Environment",
"description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n",
"kill_chain_phases": [
@@ -64,7 +64,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json
+5 -5
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--28b007c1-baf5-48c0-9277-7baf4137ec3d",
"id": "bundle--17329219-fa21-496a-b9bb-76d484858a1a",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
{
"source_name": "Trend Micro iOS URL Hijacking",
"description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
"url": "https://web.archive.org/web/20211023221110/https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
},
{
"source_name": "IETF-PKCE",
@@ -39,7 +39,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:51.304Z",
"modified": "2025-10-24T17:48:59.057Z",
"name": "URI Hijacking",
"description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ",
"kill_chain_phases": [
@@ -48,13 +48,13 @@
"phase_name": "credential-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Leo Zhang, Trend Micro",
"Steven Du, Trend Micro"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--2c93a62b-eb19-42ef-8ca8-363cf5f1650b",
"id": "bundle--754819dd-1203-47ea-bb7d-0a4254a556ac",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:51.458Z",
"modified": "2025-10-24T17:48:59.522Z",
"name": "Subvert Trust Controls",
"description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--4bf73163-5833-43c2-be27-ebcaf9fb8ad7",
"id": "bundle--a07889c4-57e7-472b-b715-883322129bc3",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:40.824Z",
"modified": "2025-10-24T17:48:59.691Z",
"name": "Access Call Log",
"description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a6884553-de00-4097-9ff7-db97a8f4aeba",
"id": "bundle--c8b26093-b795-47fc-b48b-bf86658948fb",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:41.041Z",
"modified": "2025-10-24T17:49:02.464Z",
"name": "Geofencing",
"description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \u201cAllow only while using the app\u201d, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--e7eb4153-4b97-44e9-87c6-bd774063b36e",
"id": "bundle--4e217882-f2ad-4371-b7a2-aab5b2c2f9ae",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:41.218Z",
"modified": "2025-10-24T17:49:02.729Z",
"name": "Device Administrator Permissions",
"description": "Adversaries may request device administrator permissions to perform malicious actions.\n\nBy abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device\u2019s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Users can see when an app requests device administrator permissions. Users can also view which apps have device administrator permissions in the settings menu.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16.json
+3 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--e93e3d02-09f0-46a9-a14f-00ae03b0e9b6",
"id": "bundle--e9428c31-c268-4307-8e34-5a075e184152",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-25T15:16:34.865Z",
"modified": "2025-10-24T17:49:02.916Z",
"name": "Remotely Install Application",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--da76e67c-85e4-4a3c-86da-1c86477388a4",
"id": "bundle--3eb9a8c9-18da-4543-90c7-26acd35e6392",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:21:51.670Z",
"modified": "2025-10-24T17:49:03.949Z",
"name": "Keychain",
"description": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--39870a39-c71a-4e5b-82d0-5975cb6de826",
"id": "bundle--122b1df1-134a-4bc7-8dad-3ba2fa1b7593",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:41.585Z",
"modified": "2025-10-24T17:49:04.473Z",
"name": "Modify Cached Executable Code",
"description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_detection": "Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05.json
+5 -4
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--0a5b0f71-5edf-4b58-81c9-6264622ddcab",
"id": "bundle--73f357cc-613a-43cb-9f00-fcc63dc03da5",
"spec_version": "2.0",
"objects": [
{
@@ -11,7 +11,7 @@
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1419",
"external_id": "T1419"
},
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-25T15:16:35.161Z",
"modified": "2025-09-08T16:32:57.531Z",
"name": "Device Type Discovery",
"description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.",
"kill_chain_phases": [
@@ -33,8 +33,9 @@
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--633bb0be-97c9-43a9-b510-9e6f2c895771",
"id": "bundle--d1cd03e8-56e4-4b36-9817-ff9772993f0e",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a.json
+1 -1
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--50ddefc8-2d88-4e13-b9c0-88af58374599",
"id": "bundle--e4f3ec0f-7ced-4a00-b0ca-85b94179bd37",
"spec_version": "2.0",
"objects": [
{
mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--37590a4c-37a7-4697-8d9a-4df456689bd7",
"id": "bundle--9a7d8a3c-e625-46ad-b564-a2ca0950813b",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:42.129Z",
"modified": "2025-10-24T17:49:05.463Z",
"name": "Delete Device Data",
"description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.",
"kill_chain_phases": [
@@ -39,7 +39,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--39db7a82-84cc-4025-ba7f-193d597aff27",
"id": "bundle--e7d125d1-0823-4e13-a101-cbfabf74d68d",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:42.305Z",
"modified": "2025-10-24T17:49:05.648Z",
"name": "Carrier Billing Fraud",
"description": "A malicious app may trigger fraudulent charges on a victim\u2019s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.\n\nPerforming SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)\n\nMalicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.",
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
mobile-attack/attack-pattern/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json
+16 -15
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--26fafe60-9f4b-4026-8c61-71f5d77c5825",
"id": "bundle--df4ad9f6-c0fb-4de6-a41c-299020bad05e",
"spec_version": "2.0",
"objects": [
{
@@ -11,24 +11,19 @@
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1415",
"external_id": "T1415"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
"external_id": "AUT-10"
},
{
"source_name": "FireEye-Masque2",
"description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html"
},
{
"source_name": "Dhanjani-URLScheme",
"description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.",
"url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
"source_name": "MobileIron-XARA",
"description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.",
"url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"
},
{
"source_name": "IETF-PKCE",
@@ -36,15 +31,20 @@
"url": "https://tools.ietf.org/html/rfc7636"
},
{
"source_name": "MobileIron-XARA",
"description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.",
"url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"
"source_name": "Dhanjani-URLScheme",
"description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.",
"url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
"external_id": "AUT-10"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-25T15:16:35.896Z",
"modified": "2025-09-08T16:36:02.126Z",
"name": "URL Scheme Hijacking",
"description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).",
"kill_chain_phases": [
@@ -53,8 +53,9 @@
"phase_name": "credential-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],

Some files were not shown because too many files have changed in this diff Show More